541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427

Analysis

max time kernel
442s
max time network
446s
platform
windows10-1703_x64
resource
win10-20240404-es
resource tags

arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
02/05/2024, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Hydra-1.1.0.Setup.exe
Size

128.8MB
MD5

366d719f4ffb6e6378bb8eb0ca5f89c0
SHA1

7ab9d1f32366c7eba513c37ae7304f6c74dd8933
SHA256

541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427
SHA512

da1816efa36d0f9e9c8aa0d03cd9cb64851762d83e212d5f91d77d42de91fc23af920922bbf1ca5824a2668d0d4915fc9b024b1dc0abbeb56e6a3e5ed970d5ca
SSDEEP

3145728:QkJG7QPqLxp8O4d4pPU62+0JXWg3/VnRbQvk4H6wWhuyGdgv+m7K2mpHQj/:QkJGUPsxdHt0kg3/VndY5dQ+mO2mpHg

Score

9^/10

discovery execution

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Hydra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Hydra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Hydra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Hydra.exe

Executes dropped EXE 22 IoCs

pid	Process
3116	Update.exe
3624	Squirrel.exe
4260	Hydra.exe
1852	Update.exe
2840	Hydra.exe
1776	Update.exe
4836	Hydra.exe
4208	Hydra.exe
2176	Hydra.exe
816	Hydra.exe
4656	Hydra.exe
752	Update.exe
3960	Hydra.exe
2236	Hydra.exe
1592	hydra-download-manager.exe
1048	Hydra.exe
3352	Hydra.exe
1776	Hydra.exe
2720	Hydra.exe
1308	Update.exe
4840	Hydra.exe
4244	Hydra.exe

Loads dropped DLL 42 IoCs

pid	Process
4260	Hydra.exe
4260	Hydra.exe
2840	Hydra.exe
4836	Hydra.exe
4836	Hydra.exe
4836	Hydra.exe
4836	Hydra.exe
4836	Hydra.exe
4208	Hydra.exe
816	Hydra.exe
816	Hydra.exe
4656	Hydra.exe
3960	Hydra.exe
3960	Hydra.exe
3960	Hydra.exe
3960	Hydra.exe
3960	Hydra.exe
2236	Hydra.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1592	hydra-download-manager.exe
1048	Hydra.exe
3352	Hydra.exe
3352	Hydra.exe
1776	Hydra.exe
1776	Hydra.exe
2720	Hydra.exe
4840	Hydra.exe
4840	Hydra.exe
4840	Hydra.exe
4840	Hydra.exe
4840	Hydra.exe
4244	Hydra.exe

Unexpected DNS network traffic destination 17 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	95.37.73.98
Destination IP	31.186.79.86
Destination IP	37.112.14.22
Destination IP	37.112.14.22
Destination IP	77.223.88.94
Destination IP	95.37.73.98
Destination IP	91.236.142.64
Destination IP	80.91.23.48
Destination IP	217.107.115.204
Destination IP	37.112.14.22
Destination IP	92.51.18.112
Destination IP	212.58.121.123
Destination IP	92.51.18.112
Destination IP	77.223.88.94
Destination IP	5.165.114.141
Destination IP	5.165.114.141
Destination IP	31.186.79.86

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
1156	powershell.exe
4424	powershell.exe
1016	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Hydra.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Hydra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Hydra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Hydra.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Hydra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Hydra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Hydra.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
4904	tasklist.exe
4392	tasklist.exe
2172	tasklist.exe
2516	tasklist.exe
920	tasklist.exe
4880	tasklist.exe
392	tasklist.exe
3880	tasklist.exe
4244	tasklist.exe
4764	tasklist.exe
2104	tasklist.exe
3872	tasklist.exe
2104	tasklist.exe
3168	tasklist.exe
3944	tasklist.exe
4716	tasklist.exe
2104	tasklist.exe
1576	tasklist.exe
4816	tasklist.exe
2188	tasklist.exe
2268	tasklist.exe
4044	tasklist.exe
1188	tasklist.exe
4180	tasklist.exe
4496	tasklist.exe
4480	tasklist.exe
4680	tasklist.exe
2572	tasklist.exe
876	tasklist.exe
488	tasklist.exe
4864	tasklist.exe
352	tasklist.exe
344	tasklist.exe
920	tasklist.exe
2516	tasklist.exe
4680	tasklist.exe
3112	tasklist.exe
2904	tasklist.exe
3828	tasklist.exe
1780	tasklist.exe
4256	tasklist.exe
2516	tasklist.exe
4824	tasklist.exe
3360	tasklist.exe
1440	tasklist.exe
4824	tasklist.exe
1596	tasklist.exe
1864	tasklist.exe
1672	tasklist.exe
2620	tasklist.exe
4044	tasklist.exe
4744	tasklist.exe
3916	tasklist.exe
1252	tasklist.exe
752	tasklist.exe
4488	tasklist.exe
4924	tasklist.exe
2736	tasklist.exe
4880	tasklist.exe
4140	tasklist.exe
3924	tasklist.exe
4304	tasklist.exe
3432	tasklist.exe
2816	tasklist.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\ = "URL:hydralauncher"	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Hydra.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell\open\command	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\hydra\\app-1.1.0\\Hydra.exe\" \"%1\""	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000a258c27110006879647261003c0009000400efbea258bd71a258c2712e0000008bac01000000080000000000000000000000000000002bbb200068007900640072006100000014000000	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5e00310000000000a258287210004150502d31317e312e300000440009000400efbea258bd71a25828722e00000096ac010000000700000000000000000000000000000033d10b016100700070002d0031002e0031002e00300000001a000000	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\URL Protocol	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\ = "URL:hydralauncher"	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000084581162120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe84581162845811622e0000009f520100000001000000000000000000000000000000bc45a3004100700070004400610074006100000042000000	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\URL Protocol	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\hydra\\app-1.1.0\\Hydra.exe\" \"%1\""	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell\open\command	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5000310000000000a258bd7110004c6f63616c003c0009000400efbe84581162a258bd712e000000b25201000000010000000000000000000000000000002a2f1b014c006f00630061006c00000014000000	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell\open	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\URL Protocol	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\hydra\\app-1.1.0\\Hydra.exe\" \"%1\""	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell\open\command	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Hydra.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\ = "URL:hydralauncher"	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Hydra.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\hydralauncher\shell	Hydra.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4260	Hydra.exe
4260	Hydra.exe
4260	Hydra.exe
4260	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
4424	powershell.exe
4424	powershell.exe
4424	powershell.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
3352	Hydra.exe
3352	Hydra.exe
1776	Hydra.exe
1776	Hydra.exe
1776	Hydra.exe
1776	Hydra.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
816	Hydra.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	4876	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	2784	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	2120	tasklist.exe
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	3284	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	4616	tasklist.exe
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeDebugPrivilege	4964	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	3612	tasklist.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	404	tasklist.exe
Token: SeDebugPrivilege	4228	tasklist.exe
Token: SeDebugPrivilege	4416	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	4424	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	752	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	2232	tasklist.exe
Token: SeDebugPrivilege	1672	tasklist.exe
Token: SeDebugPrivilege	5080	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	4488	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	96	tasklist.exe
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	2676	tasklist.exe
Token: SeShutdownPrivilege	816	Hydra.exe
Token: SeCreatePagefilePrivilege	816	Hydra.exe
Token: SeDebugPrivilege	4960	tasklist.exe
Token: SeDebugPrivilege	1500	tasklist.exe
Token: SeDebugPrivilege	1016	tasklist.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3116	Update.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2176	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe
816	Hydra.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3116	2440	Hydra-1.1.0.Setup.exe	73
PID 2440 wrote to memory of 3116	2440	Hydra-1.1.0.Setup.exe	73
PID 3116 wrote to memory of 3624	3116	Update.exe	74
PID 3116 wrote to memory of 3624	3116	Update.exe	74
PID 3116 wrote to memory of 4260	3116	Update.exe	75
PID 3116 wrote to memory of 4260	3116	Update.exe	75
PID 4260 wrote to memory of 1852	4260	Hydra.exe	76
PID 4260 wrote to memory of 1852	4260	Hydra.exe	76
PID 4260 wrote to memory of 2840	4260	Hydra.exe	77
PID 4260 wrote to memory of 2840	4260	Hydra.exe	77
PID 4260 wrote to memory of 1776	4260	Hydra.exe	78
PID 4260 wrote to memory of 1776	4260	Hydra.exe	78
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4836	4260	Hydra.exe	79
PID 4260 wrote to memory of 4208	4260	Hydra.exe	80
PID 4260 wrote to memory of 4208	4260	Hydra.exe	80
PID 2176 wrote to memory of 816	2176	Hydra.exe	85
PID 2176 wrote to memory of 816	2176	Hydra.exe	85
PID 816 wrote to memory of 4656	816	Hydra.exe	86
PID 816 wrote to memory of 4656	816	Hydra.exe	86
PID 816 wrote to memory of 752	816	Hydra.exe	87
PID 816 wrote to memory of 752	816	Hydra.exe	87
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88
PID 816 wrote to memory of 3960	816	Hydra.exe	88

C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:3624
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --squirrel-install 1.1.0
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Users\Admin\AppData\Local\hydra\Update.exe
      C:\Users\Admin\AppData\Local\hydra\Update.exe --createShortcut=Hydra.exe
      4⤵
      Executes dropped EXE
      PID:1852
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Hydra /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Hydra\Crashpad --url=https://f.a.k/e --annotation=_productName=Hydra --annotation=_version=1.1.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=29.1.4 --initial-client-data=0x520,0x524,0x528,0x51c,0x52c,0x7ff6753ba880,0x7ff6753ba88c,0x7ff6753ba898
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2840
  - - C:\Users\Admin\AppData\Local\hydra\Update.exe
      C:\Users\Admin\AppData\Local\hydra\Update.exe --checkForUpdate https://update.electronjs.org/hydralauncher/hydra/win32-x64/1.1.0
      4⤵
      Executes dropped EXE
      PID:1776
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1872 --field-trial-handle=1876,i,1404015033690466390,12400449864973461080,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4836
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=920 --field-trial-handle=1876,i,1404015033690466390,12400449864973461080,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4208

C:\Users\Admin\AppData\Local\hydra\Hydra.exe
"C:\Users\Admin\AppData\Local\hydra\Hydra.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
  "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Hydra /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Hydra\Crashpad --url=https://f.a.k/e --annotation=_productName=Hydra --annotation=_version=1.1.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=29.1.4 --initial-client-data=0x4ec,0x4f0,0x4f4,0x4e8,0x4f8,0x7ff6753ba880,0x7ff6753ba88c,0x7ff6753ba898
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4656
- - C:\Users\Admin\AppData\Local\hydra\Update.exe
    C:\Users\Admin\AppData\Local\hydra\Update.exe --checkForUpdate https://update.electronjs.org/hydralauncher/hydra/win32-x64/1.1.0
    3⤵
    - Executes dropped EXE
    PID:752
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2052,i,15165513639726230812,17632359473962428277,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3960
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2548 --field-trial-handle=2052,i,15165513639726230812,17632359473962428277,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2236
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\dist\hydra-download-manager\hydra-download-manager.exe
    C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\dist\hydra-download-manager\hydra-download-manager.exe 5881 \\.\pipe\0742a6d4256ab8b77d8276f5fcf17ebf \\.\pipe\c03b6a9745c33995474fe6910bb2d4f4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1636
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.squirrel.hydra.Hydra --app-path="C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\app.asar" --enable-sandbox --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3112 --field-trial-handle=2052,i,15165513639726230812,17632359473962428277,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1048
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3284
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:96
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1012
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1792
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4508
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1020
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:96
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:504
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4212
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:952
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3708
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:680
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1792
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2268
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2720
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4108
- - C:\Windows\system32\where.exe
    where powershell
    3⤵
    PID:748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object Caption, FreeSpace, Size"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1156
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3360
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2784
- - C:\Windows\system32\where.exe
    where powershell
    3⤵
    PID:2816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object Caption, FreeSpace, Size"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4424
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4048
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1252
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3996
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4832
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3384
- - C:\Windows\system32\where.exe
    where powershell
    3⤵
    PID:4484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object Caption, FreeSpace, Size"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1016
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1372
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1316
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3152
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1912
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1636
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2120
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4472
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1028
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4508
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3692
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1980
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1020
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4644
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:920
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2380
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2620
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3708
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4208
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4024
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4228
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2768
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2348
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2296
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3076
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4468
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:988
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1064
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4424
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1920
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1308
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2032
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3612
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2668
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4508
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1792
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:8
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4472
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4828
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4180
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4420
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4208
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1288
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:828
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2380
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4664
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1940
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4860
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4292
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2804
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:8
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4724
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4744
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2904
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3180
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1372
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4036
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:676
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3828
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3368
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2032
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4512
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2120
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1020
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5040
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2664
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1028
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4700
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3916
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3360
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1600
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:8
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4416
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2768
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2364
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4180
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3360
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5040
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:524
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2088
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4116
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2252
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5116
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4840
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4304
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2740
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4680
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3936
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1220
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2460
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:772
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2712
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3876
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4008 --field-trial-handle=2052,i,15165513639726230812,17632359473962428277,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3352
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1780
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3472
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1756
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:352
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2712
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2904
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4680
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2088
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3468
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1064
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4484
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1084
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1252
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4560
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1316
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4456
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4248
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3152
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2268
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4036
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4048
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4140
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3472
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4836
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4292
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2632
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3464
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2200
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4724
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:304
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4680
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2172
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4860
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2260
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3416
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:352
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:752
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4700
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3468
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3612
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5084
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:976
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2348
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:752
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1780
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1636
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3436
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1792
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4388
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4140
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2712
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3324
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:704
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3480
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1028
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3708
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4416
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:748
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2904
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1940
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4688
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3484
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:976
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3656
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4664
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:748
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2860
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4420
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1280
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1920
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4496
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2720
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2380
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2196
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4828
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3996
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:504
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2232
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2676
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3168
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4292
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1308
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1660
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:976
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2664
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3284
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:524
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4968
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2736
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4860
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4048
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4840
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4724
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2740
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:304
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:752
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3756
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3168
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2320
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4048
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2460
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4744
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2348
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3352
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:752
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4116
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4688
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4496
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2720
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4388
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:684
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4460
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4680
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4208
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2120
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4232
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:920
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2200
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:952
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4928
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:732
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3076
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4180
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4836
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2852
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1224
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4644
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:196
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4828
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:304
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4512
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1776
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1796
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1324
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4472
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:952
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3324
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:988
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1280
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4964
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2380
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3432
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:684
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3656
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4828
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3180
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4680
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2232
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3100
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1792
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2320
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:352
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4724
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3872
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:316
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2172
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1796
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1836
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4972
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4388
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3656
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4832
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2364
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1012
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1280
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3756
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3360
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4784
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3888
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2348
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1948
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4952
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4116
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1836
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1808
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4744
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3384
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4208
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:988
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2676
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4232
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1220
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2260
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4840
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:704
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1980
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4456
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1780
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4700
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2240
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1068
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4388
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2296
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2620
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:704
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:820
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3328
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2088
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1796
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1288
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2320
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2168
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1160
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2348
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3384
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1372
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2172
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4484
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1404
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1308
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3888
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4592
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2692
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:820
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4968
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4700
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4904
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1756
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1220
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3416
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:744
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2284
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4928
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2348
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3756
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:772
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4048
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4304
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2460
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4800
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4248
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3152
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2268
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4420
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4960
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3464
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3432
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4872
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4592
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5040
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1836
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4472
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3464
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1128
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3152
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3328
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1920
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2120
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:8
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2188
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1804
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2924
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:512
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4344
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1776
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Hydra /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Hydra\Crashpad --url=https://f.a.k/e --annotation=_productName=Hydra --annotation=_version=1.1.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=29.1.4 --initial-client-data=0x4e8,0x4ec,0x4f0,0x4e4,0x4f4,0x7ff6753ba880,0x7ff6753ba88c,0x7ff6753ba898
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2720
  - - C:\Users\Admin\AppData\Local\hydra\Update.exe
      C:\Users\Admin\AppData\Local\hydra\Update.exe --checkForUpdate https://update.electronjs.org/hydralauncher/hydra/win32-x64/1.1.0
      4⤵
      Executes dropped EXE
      PID:1308
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2028,i,5025240458966680333,13662452396316439690,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4840
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=1536 --field-trial-handle=2028,i,5025240458966680333,13662452396316439690,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1796
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3168
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2168
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3480
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2804
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4116
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4496
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4228
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4724
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4832
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4248
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3872
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4420
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2120
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2572
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4048
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1804
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3484
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2168
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4392
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2692
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1596
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3672
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1224
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2516
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4228
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4044
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5080
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1244
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:316
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2268
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3996
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:4864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:3944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1068
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3828
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4680
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:512
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2172
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4292
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4052
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:196
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2260
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:2104
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2196
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:732
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4512
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:820
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3328
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4024
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:648
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5108
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1716
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4036
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    - Enumerates processes with tasklist
    PID:1864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4816
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4880
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:820
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4508
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1020
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1836
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1444
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4484
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4992
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:352
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3284
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1256
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4592
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4824
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4960
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4388
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4412
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3164
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1760
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:684
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1864
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:5112
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:1940
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:3876
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2252
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:4092
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2200
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /nh /fo csv
    3⤵
    PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

Filesize
1KB

MD5
26714738742ed6c7e6e824979218754e

SHA1
2072bab092ef6e82a13103a9dd4f172fbaf218e5

SHA256
e00fe44978b689c224aca3afea9a78743342263d9104737dbf052344c9ebfaca

SHA512
2de4806b89531938162f4393a5ab85e5ddd92603f761346c20b0d00468dcbd2bc6e7d6e067c4dec9f8472bcfaaa74d20e7dc85920b9bfd0152568929e42a1fde

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
76B

MD5
82aad9846f60a10e4495a1c628a4f0b6

SHA1
4119492d3c6fe99ba75f852756d8b04b950e76f0

SHA256
529fd322807a4f0ad7a95c5ed06b4aaf0aabd3f52f33d9b852c6f063a63ef839

SHA512
e19321f50ec6aeca3f040ea98f88a03e4afe8908796a4dbbd7bb41b25713b7a85fbc1dce366d25afea47d4a67181164b678e7f727bd58d88b68db7fafebcbdaf

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
a560bad9e373ea5223792d60bede2b13

SHA1
82a0da9b52741d8994f28ad9ed6cbd3e6d3538fa

SHA256
76359cd4b0349a83337b941332ad042c90351c2bb0a4628307740324c97984cc

SHA512
58a1b4e1580273e1e5021dd2309b1841767d2a4be76ab4a7d4ff11b53fa9de068f6da67bf0dccfb19b4c91351387c0e6e200a2a864ec3fa737a1cb0970c8242c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
43KB

MD5
b5a42ecde0b058b3c4e661e0ec84400b

SHA1
7e2bfc653c5bc6997553c150a0823daae372cd99

SHA256
ce636d201ef86ffbf4ee8c8762b4d9dc255be9d5f490d0a22e36fe0c938f7244

SHA512
b7f4a7bddb226066f7edf23dfb9bee658c30ae03dfe727ec739f51fd98c63831f732343c14a6ca080f31baed38bf9064cdd57c9d1daaf4c42c029fe83d846dc0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
11KB

MD5
2e4587a60d1bfe337eeb2601c49fb135

SHA1
145d5e3d2ad85a99449a966f7eb131b3c90af481

SHA256
c665ea7e7605a3e9af8be71e3e78c6da60bbafa058b707fd628ca0058e37999b

SHA512
e8b7c0bdd4d5d80479c40b77927982da874655e990ce2b5df1203a3c07817ead5fd178266f2e75d2837b4b6addafb3fb74de1be5ab7b49b0efee89aa289c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djaicfxs.i2s.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\hydra\Hydra.exe

Filesize
261KB

MD5
c29c528c1e3eafbe317a0b390ae9cb90

SHA1
1b98d7b425d335ddd34d6cc612c4768894c345fe

SHA256
37c8d1d2853655c3ea13994199e9bb2b0c030b7d751c5081851373c8857b8e79

SHA512
4e038d113041715f4dca360503611a35a8651cd8fd3e730ea51b12206677d4aeb786244e82a7d4ad76de5bba846ecf130283068ea6e859af73c4de93c19be4d7

Download Submit
C:\Users\Admin\AppData\Local\hydra\Squirrel-CheckForUpdate.log

Filesize
3KB

MD5
ca873b5e149d6844f4e0bd6c3855458b

SHA1
95811ec0bc1b24ce934f92d1ddd2b8fd98923faf

SHA256
9cbf77bb97f90cf3f0bd50c30197c7796e142c65842b211bf793878eb25cd663

SHA512
66b1d1ea417f7487ce938f22c3b612c812635f1ce95430d0ee2a2513f66aa297aecc8535e4fa680d27c521e66aa7b0fb66e77f596e22c800cc5e9bb71613cabd

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe

Filesize
1.8MB

MD5
ff4f902f07f0d3ce4768ec7c5d79f204

SHA1
c3dbb5119263d332a575105a4aa2e91b136612c1

SHA256
0a8a6015b64e956211bd8e70eab23801801358c77d606ef4517eb871d5c8fae8

SHA512
f11a5f60b0d9944e19b98aed6c72b2a4f33660dbb1ccfaa293189b56d6e497207d084bf63e2ae1636c3d4f25077cddfe881c34a625fedc127567fdefae84793a

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_100_percent.pak

Filesize
150KB

MD5
b1bccf31fa5710207026d373edd96161

SHA1
ae7bb0c083aea838df1d78d61b54fb76c9a1182e

SHA256
49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3

SHA512
134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_200_percent.pak

Filesize
229KB

MD5
e02160c24b8077b36ff06dc05a9df057

SHA1
fc722e071ce9caf52ad9a463c90fc2319aa6c790

SHA256
4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106

SHA512
1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\ffmpeg.dll

Filesize
2.7MB

MD5
855d27d5735c1afd26ff53a7f1bb93eb

SHA1
fc4d2c2f13022bedbdee3eb073961587360bb6ca

SHA256
a32800cbf98c84f2da9dcfea2fe8bdcfaaeef07c4eb81469945a992f83bb339c

SHA512
d6df90c3dc66f9dc9d8f7549d8385c0853a398b6dde5fecfbeb2396725f4c4aab50021b39fdb09ab6f553483e9a2bc985a3d4cce33de4c3f3958a86430cccb69

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\locales\es.pak

Filesize
530KB

MD5
fe7c4ad3f058c2511bd4d98d9b147fa1

SHA1
d384e3d9b68a447b898b53ff4fad9d3a3bf6b057

SHA256
e09883eb027accf16b738e5a8072c28dfa5eb76b1a94b6e3ffda550fbb74c7ee

SHA512
96f3f16f156d6acc5138afbf0803e3c920eb6190d667344241284bad2396e2f3773cd4d44a9e3333e4fdd7c5f5448261d3b8ebe7b9c0808c5e12ea0a8b69c52c

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources.pak

Filesize
5.0MB

MD5
8b4ae918802e54e58cad58b37cc9085c

SHA1
99ba711d34401ae0205ab86aeb7fccf52b576168

SHA256
51eef9af8b1d4cf7c9e4ecfb78b6954ba179e2298b1f134ffdcb4b9eab1bd8e6

SHA512
fe068c1e1b4929a0e85ec5bcf925f75d5a80d892fe45a1c948c39d433aec0674cdb55809c2659aabd9a969aa61387c8a5796d226116ed75c7a4d05b5c09fc785

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\app.asar

Filesize
11.0MB

MD5
ac9806525d2615d75a015a555d26f0c2

SHA1
88d66a4fdaf87eaa9a6f3c632e795c67b377ee59

SHA256
a9bf0998bfda78da9f1426ef98c1f61d63fd073be7e29269a3ae18a8ae0ee85e

SHA512
33c060955144905ee67f884df49ed99ca5f051b6607c9ce6a4ae35eacebb90081ee9cc7055f3bc6fc583a84c27f7a00a5e628904fc167b82bb5cfd984d5fc303

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\hydra.db

Filesize
48.0MB

MD5
5ea8df2f2999e675faf22fdb2c8c5d72

SHA1
40f5579bdb8031066506c6468938f805adae30f0

SHA256
ec3d9a0bfcb8b704ca68a28585c7620766f93e3e4702673eb0ab866f35474233

SHA512
fe2a79c0d6afcca49bdf115d6d46f8676c7cb75df4168856fc58738038f1f100e9b09c28ffb66da18d116e9c1e87280d9f976eb5e7f820ed28b5e176c8bda71f

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\v8_context_snapshot.bin

Filesize
663KB

MD5
796517f2fa15adf83ee3be8e7d647a73

SHA1
4287c74c8a765286350dc5322eb79dcdc3f2fd06

SHA256
68effe7d9398b4e81b829fe65c4c68c4cbb9b42a4bb146df826fbf808926f675

SHA512
7c24fb1c249d7355f0b2576e14fa802acca11333ee23ec59503ae611292de63c217343af77c49ca10ed6e9bcd792810a1f1b2abc50784572902ec87ea7203f03

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\vk_swiftshader.dll

Filesize
5.1MB

MD5
a209cc01921c3cceebf40fd2ca3aa1eb

SHA1
7c6a483cd79642fc76ecd695f2bcbcd32034f11d

SHA256
d60bf3062d47378d169aea2f7e6666a099d116e55305ae4f3a494f969b7d3d4b

SHA512
276e8856ad362a6836c021f712df9668c1b0eaeb0ed4ba003b5aab5c37cb7427f6cbdcb51fbe657eeb3af276839a3f622a6499dc8b3a62cde82890eefca5e300

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Crashpad\settings.dat

Filesize
40B

MD5
aae78ded02f30dc1b5e27d722584ade5

SHA1
53cdca3c8fc1834b198097331789038a95e917b5

SHA256
8cf520b72ce3da034974fadaf48bb23f567a850f3d81f219711790a37accd199

SHA512
89cb875ce092d0623f37573746e429d0d1cdab8a633423d509ad6237a6824056fcdf08a6c212e03263b66cbc75bd9561f70beb52c63c6f17b65844f3a065b51c

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local State

Filesize
434B

MD5
3723e8d18e17da0fff5a42267d8423c5

SHA1
8731f272083ef00c4448ea60d87a4ae6093bc52d

SHA256
ffbc67097bac13ef1ac026b4789d38f475c46a8bc4fdd89c9e5f78a9c61e8145

SHA512
5ab0f5adbd26a5f3717d31ad653a3fb1cc2c1efde5cec4b280a36766a342ea1c2ba478ea30ecd889d9031d06a606e2131e1cf9570655cd7012f2b469c9b549b3

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local Storage\leveldb\LOG

Filesize
241B

MD5
81b48e3a023231e923ddc6466e59839a

SHA1
c93373a1d3d1799f9aaa8fcd32f0726b6a8be501

SHA256
e7b0aafc67a83800168c49030b0f78f57929b45c6ae941ff010ef19f4365d5a2

SHA512
7eb9b9fe585e03bc661ee7af74eadffb6e029354d61e491e72638242ac6c649b07b8d35a9dd1f160010bce14513b72dd5e47082186a0d783a1426fcb526323f0

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\Network Persistent State

Filesize
1KB

MD5
7e70eb163a2cca160466f9891db65bca

SHA1
91b5e25755953c983b704e456d487e93642ac516

SHA256
cb9e1a06c0d82fd7672af66adcb791e484cae78cc2a61c26a9b5874c6758d338

SHA512
b0a2f891bb984fe169aa6bd7efa034a6da98edfbba592c2882f709576765bc9fc5a99a7c9e5f293ed5a23f0bc57f626cb2b81e6b98a9ce60ec460afcc4c9edd7

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\Network Persistent State

Filesize
1KB

MD5
1d436fb663241c9f043c7f096486cdea

SHA1
820c47c9b8c999095112d19b4dc30993ccd86bc3

SHA256
995845028d59035fad4051cca33996d31a2c9619cfdc34e9acc5517f74aa84d5

SHA512
4ade606755460e6012f68bceca16e80297c7a59889d00a37bf9b1591e8cb859cfddee0a059aa5946d4bca04c9011472c511b96d1225c664bb2ff08c19d0e539b

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\Network Persistent State

Filesize
1KB

MD5
ed0a5f823e0bf35d2995af4baa799d5a

SHA1
205039460cfa17fc3867b81ff9d5b3f3e3403a4b

SHA256
6adda0d0154d1b654d77aeaf29042cc2368907a5c3bd79f87dd338ec7ef942c5

SHA512
843cb6bf3fab788025fe516320351dcaece31501e138cce8f4a9e86d9e13151dc494afbfeaa302d547ebd2618e78e7b71aa306ba1be25e90407e54e76ec8f6d6

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\Network Persistent State~RFe5b92e6.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity

Filesize
356B

MD5
ae5b8bcdd6a24a9b55668b1494067711

SHA1
880d64ce838e6cba54ea1e4e7fe24ec7e7b0e0b4

SHA256
d9130788a81218c04902a5d1c9945f0375395e002bc9b8a09b92e8ba5295820d

SHA512
a7d61b1176f8800432ecd2e4b7740390a6f399e83babbc44e0eeb8da613b888095993731512b65bfa19d7637b0457fc5827111201b7cbe6228b0ffa84c9db0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity

Filesize
523B

MD5
99e2e3b2b9e407a94c6be5ccd6d64c31

SHA1
9b52e77b4bba5cdc47942e986ba61772211a83d9

SHA256
e7a29d25fa37fcd38eaa405b18c16682ac70cf719cad31e75d7f15ec8092c175

SHA512
ef00084392102863abbfeee4bdf968611a1e73b1a91155d165d0b95424fc7fdf3f9acc8802a8db830fc5639a00e00343e0c3bd7b8f6c1faf01d12ffcf94cd24c

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity

Filesize
523B

MD5
016004f64632c708500c50320b38837b

SHA1
cd071a5f0096bede09ae141e538665ccc75afd81

SHA256
50191b7a8c2005f97415df3d2823b5d78e17f2f2210afe4e86f3dad94e000a9d

SHA512
fbc1a1ed1ac1377cbfec4e5d6037dcca12698776e8439f4d156927999d52ca494b50096ccfccb3421656028b6faaedf874e1421496426c76e0cd14014529caa3

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity

Filesize
523B

MD5
5c89ad35074c78fb25cfe4d768c6d73c

SHA1
a2e6a8f698c88483b6a913299a89a18055fb4eda

SHA256
999a7c22d437e6d9b3f245c864b8364216163312e98decf195ddaa8491dafef2

SHA512
2fffca24e293dae5502be5dcdd3f58f5df8207f06cc323ad6c6639c90b1740dd889617858a2bed24fee979c4f47eb10e4c301a941b63e4d436e6881fb9349a95

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity

Filesize
523B

MD5
df6ba55856cb20058f8975ca4e0eb79b

SHA1
373fd67e7e00f9d5b2cb6e1007a204c8fe784c24

SHA256
e0f231f9f0d8cad20ec5db390fa4e92f2d77db7d6d58c47d2b18981d2a8cc8e7

SHA512
21ba3e0c72d2f5f3f2bc3d398cf80eea8d43a6e2dab40a62e61074f0735be58377d9403a6cd7de2055d5f228dc1abec5c8cf139e2c23be78cc1fdd5616c12144

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity

Filesize
523B

MD5
2188d406fee029d2e061d5186cdcb939

SHA1
27ded6456509a7c187a4379aab57a1c5637355d0

SHA256
dee6d8e8a491e59b4408dbb18c0f2203513d9ad921acc5a75412912fcd9d81fb

SHA512
d38d27e2f2b70e8741f4e001e54c9509d751cc9b0231e3d82adcd0454437e3f9b600801e1a69fbd2f274b21e43f30f6391bce418cfd1b5a460cf8c1a25fb7352

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Network\TransportSecurity~RFe5b1421.TMP

Filesize
356B

MD5
35a4f764ab867d38d1134847209f295a

SHA1
9dd3b27597f1af41559e8197befc5e8b78bd4888

SHA256
2cc4f0ceaf6ab1bc759d4f24a8d0e49ce8e4e2225999afeab39ca686ab205bfb

SHA512
08a552a0b0dad63a31ea3476b6f6cddfea3e2a6078a633821f8bb7ddc7d37d370c0355dddfbd0fb6b501ade0af41af14c994cb0d0801fa48ea18ac8bb5e5675c

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\Preferences

Filesize
57B

MD5
217c781be08416f5b6fa33aedf027293

SHA1
0e76955a55f31406fc64e3b136f1bb9214bc2d79

SHA256
3de8ead96083d18355eed62a5b8089a61f6c7f97ba3dba04cbefae364f0455b0

SHA512
964b588d2bb87d3e19924cf8a16f1c35807c45ccb41caa00be9dd4e34b9fdfa0625973828a9df1f5f56354f00bf13939e01798c40a8a7089c9aee4535e45b099

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\sentry\queue\41a9f54922454afb8395f112bad54905

Filesize
19KB

MD5
9ca3910d2b580bed484f19a7d77aa69c

SHA1
ef37f9d2e5e3285c056a0c2c0f0dede942dc9859

SHA256
a90008fce73e9e311597f6e5baea993970a8d1f49c3a0b63420b6b3b07e0b260

SHA512
2909955cdbed12e3bbee0ca18b884d6118a825f73b5ce9f419a0f554015b4a39918984bcc8e2e2645a7c3fa2f4a61bc5542c51191588cc66455924aa5d8796f3

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra\sentry\queue\queue.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
\Users\Admin\AppData\Local\Temp\a4822f9a-9cac-47da-9c2a-66bc41126730.tmp.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
\Users\Admin\AppData\Local\hydra\app-1.1.0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
\Users\Admin\AppData\Local\hydra\app-1.1.0\libEGL.dll

Filesize
468KB

MD5
5667c348e845c446fb56d7f9d4f11019

SHA1
f02f09799a54ec90371370deac68d36499be45dc

SHA256
72126255176dca2000061657efa0a8e91a9658d1724769b9260093116e131c33

SHA512
daf716e9af5976772e0bf7f33bcbcf347f64de8fc9787f568c1478a464d9f4603f92f3e41242782b07cb5503fffd78bc2e25f040cb932a52614e46a8e92bd2f6

Download Submit
\Users\Admin\AppData\Local\hydra\app-1.1.0\libGLESv2.dll

Filesize
7.3MB

MD5
eaedf6de749ef1230197ce1ac0455f0e

SHA1
ba737231f09676278cdeb7840aab1df1ea76c57b

SHA256
8dae6f25ad4fcbbb7eb617ac02fac48c7f0bea7f75c630ea02882cf4fb469a25

SHA512
3417438c516a51e1e04a82c4f145d881c2f2dfb90428656c9aaea80b3b46fa3e4c536b320bc6b137186e200603a4aaa250bd21e0f117b3a02f224cbf20d3a2cc

Download Submit
memory/1048-2697-0x000001E8F4030000-0x000001E8F5467000-memory.dmp

Filesize
20.2MB

Download
memory/1048-2402-0x00007FF9CD050000-0x00007FF9CD051000-memory.dmp

Filesize
4KB

Download
memory/1048-2403-0x00007FF9CE5A0000-0x00007FF9CE5A1000-memory.dmp

Filesize
4KB

Download
memory/1156-3427-0x000001E5319F0000-0x000001E531A12000-memory.dmp

Filesize
136KB

Download
memory/1156-3232-0x000001E5315F0000-0x000001E531672000-memory.dmp

Filesize
520KB

Download
memory/1156-3440-0x000001E5319E0000-0x000001E5319F4000-memory.dmp

Filesize
80KB

Download
memory/1156-3408-0x000001E5319F0000-0x000001E531A1A000-memory.dmp

Filesize
168KB

Download
memory/1156-3237-0x000001E531A20000-0x000001E531A96000-memory.dmp

Filesize
472KB

Download
memory/1156-3234-0x000001E5315B0000-0x000001E5315D2000-memory.dmp

Filesize
136KB

Download
memory/1156-3233-0x000001E531570000-0x000001E531580000-memory.dmp

Filesize
64KB

Download
memory/1156-3445-0x000001E5315E0000-0x000001E5315E8000-memory.dmp

Filesize
32KB

Download
memory/1852-1950-0x00000000010B0000-0x00000000010D0000-memory.dmp

Filesize
128KB

Download
memory/1852-1944-0x0000000001090000-0x00000000010AA000-memory.dmp

Filesize
104KB

Download
memory/3116-1920-0x00000000301F0000-0x00000000302F2000-memory.dmp

Filesize
1.0MB

Download
memory/3116-1911-0x00000000208E0000-0x0000000020918000-memory.dmp

Filesize
224KB

Download
memory/3116-8-0x0000000000B40000-0x0000000000D16000-memory.dmp

Filesize
1.8MB

Download
memory/3624-1919-0x0000000000340000-0x0000000000518000-memory.dmp

Filesize
1.8MB

Download