f45797637ab4d0c62f366a895cafbf5d5cd905dc814de8b8ad71e4f14f660725

Resubmissions

03/05/2024, 21:21

240503-z7adzsfb8s 7

03/05/2024, 21:13

240503-z227taaa67 7

Analysis

max time kernel
4s
max time network
38s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aventuria.exe
Size

164.7MB
MD5

d1ed34810dbd578158946ecbba295176
SHA1

28daf2c5b98a1800dd7ef398ae95122a409f65b8
SHA256

a9ae0e4d92a987a203a38e2c0ba3331506f01cfdb62813b31ddd2f9217681727
SHA512

42f8624fc65204031e611748a6b3ca97258a657e691fa1270c5e03deed5db12de106d8e0d1a0a9c86d4c8cf13449234fc5e07e6f36228c547fbba769e59502d4
SSDEEP

1572864:btc2cEGwGrRSREICCr3ka8YrcSAfII01aLadS5sDNd+Ipx9cF3LfxNEK2Ho8jlgY:d+CHrJIgIsV

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3712	Aventuria.exe
3712	Aventuria.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
7	raw.githubusercontent.com
9	raw.githubusercontent.com
11	raw.githubusercontent.com
15	raw.githubusercontent.com
10	raw.githubusercontent.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com
14	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
6	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
10820	powershell.exe
10524	powershell.exe
8620	powershell.exe
8588	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Aventuria.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Aventuria.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Aventuria.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Aventuria.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Aventuria.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Aventuria.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Aventuria.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
9744	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
10780	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
7368	tasklist.exe
8072	tasklist.exe
8508	tasklist.exe
7724	tasklist.exe
6388	tasklist.exe
11200	tasklist.exe
7160	tasklist.exe
7976	tasklist.exe
3704	tasklist.exe
988	tasklist.exe
8420	tasklist.exe
6380	tasklist.exe
1324	tasklist.exe
5600	tasklist.exe
8136	tasklist.exe
7220	tasklist.exe
7872	tasklist.exe
7688	tasklist.exe
8428	tasklist.exe
5456	tasklist.exe
8048	tasklist.exe
5668	tasklist.exe
8020	tasklist.exe
8040	tasklist.exe
7904	tasklist.exe
6044	tasklist.exe
7992	tasklist.exe
7636	tasklist.exe
7392	tasklist.exe
8164	tasklist.exe
7888	tasklist.exe
6256	tasklist.exe
7072	tasklist.exe
7224	tasklist.exe
7440	tasklist.exe
7916	tasklist.exe
8764	tasklist.exe
5252	tasklist.exe
9916	tasklist.exe
4184	tasklist.exe
7592	tasklist.exe
7100	tasklist.exe
7964	tasklist.exe
7788	tasklist.exe
7900	tasklist.exe
10504	tasklist.exe
5468	tasklist.exe
8116	tasklist.exe
7908	tasklist.exe
7896	tasklist.exe
7644	tasklist.exe
7224	tasklist.exe
7496	tasklist.exe
7412	tasklist.exe
8320	tasklist.exe
3492	tasklist.exe
7300	tasklist.exe
7292	tasklist.exe
7016	tasklist.exe
7924	tasklist.exe
8576	tasklist.exe
6360	tasklist.exe
10780	tasklist.exe
5236	tasklist.exe

Kills process with taskkill 32 IoCs

evasion

pid	Process
7876	taskkill.exe
5764	taskkill.exe
1264	taskkill.exe
6748	taskkill.exe
11200	taskkill.exe
8344	taskkill.exe
7260	taskkill.exe
872	taskkill.exe
7128	taskkill.exe
9616	taskkill.exe
7220	taskkill.exe
3908	taskkill.exe
11240	taskkill.exe
8748	taskkill.exe
11216	taskkill.exe
9868	taskkill.exe
8340	taskkill.exe
10576	taskkill.exe
4752	taskkill.exe
2532	taskkill.exe
5280	taskkill.exe
7224	taskkill.exe
11208	taskkill.exe
4460	taskkill.exe
4308	taskkill.exe
11224	taskkill.exe
4840	taskkill.exe
8196	taskkill.exe
6856	taskkill.exe
6104	taskkill.exe
6712	taskkill.exe
9408	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3712	Aventuria.exe
3712	Aventuria.exe
3712	Aventuria.exe
3712	Aventuria.exe
3712	Aventuria.exe
3712	Aventuria.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	tasklist.exe
Token: SeShutdownPrivilege	3712	Aventuria.exe
Token: SeCreatePagefilePrivilege	3712	Aventuria.exe
Token: SeIncreaseQuotaPrivilege	4636	WMIC.exe
Token: SeSecurityPrivilege	4636	WMIC.exe
Token: SeTakeOwnershipPrivilege	4636	WMIC.exe
Token: SeLoadDriverPrivilege	4636	WMIC.exe
Token: SeSystemProfilePrivilege	4636	WMIC.exe
Token: SeSystemtimePrivilege	4636	WMIC.exe
Token: SeProfSingleProcessPrivilege	4636	WMIC.exe
Token: SeIncBasePriorityPrivilege	4636	WMIC.exe
Token: SeCreatePagefilePrivilege	4636	WMIC.exe
Token: SeBackupPrivilege	4636	WMIC.exe
Token: SeRestorePrivilege	4636	WMIC.exe
Token: SeShutdownPrivilege	4636	WMIC.exe
Token: SeDebugPrivilege	4636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4636	WMIC.exe
Token: SeRemoteShutdownPrivilege	4636	WMIC.exe
Token: SeUndockPrivilege	4636	WMIC.exe
Token: SeManageVolumePrivilege	4636	WMIC.exe
Token: 33	4636	WMIC.exe
Token: 34	4636	WMIC.exe
Token: 35	4636	WMIC.exe
Token: 36	4636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4636	WMIC.exe
Token: SeSecurityPrivilege	4636	WMIC.exe
Token: SeTakeOwnershipPrivilege	4636	WMIC.exe
Token: SeLoadDriverPrivilege	4636	WMIC.exe
Token: SeSystemProfilePrivilege	4636	WMIC.exe
Token: SeSystemtimePrivilege	4636	WMIC.exe
Token: SeProfSingleProcessPrivilege	4636	WMIC.exe
Token: SeIncBasePriorityPrivilege	4636	WMIC.exe
Token: SeCreatePagefilePrivilege	4636	WMIC.exe
Token: SeBackupPrivilege	4636	WMIC.exe
Token: SeRestorePrivilege	4636	WMIC.exe
Token: SeShutdownPrivilege	4636	WMIC.exe
Token: SeDebugPrivilege	4636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4636	WMIC.exe
Token: SeRemoteShutdownPrivilege	4636	WMIC.exe
Token: SeUndockPrivilege	4636	WMIC.exe
Token: SeManageVolumePrivilege	4636	WMIC.exe
Token: 33	4636	WMIC.exe
Token: 34	4636	WMIC.exe
Token: 35	4636	WMIC.exe
Token: 36	4636	WMIC.exe
Token: SeShutdownPrivilege	3712	Aventuria.exe
Token: SeCreatePagefilePrivilege	3712	Aventuria.exe
Token: SeDebugPrivilege	6740	tasklist.exe
Token: SeDebugPrivilege	2532	tasklist.exe
Token: SeIncreaseQuotaPrivilege	7000	WMIC.exe
Token: SeSecurityPrivilege	7000	WMIC.exe
Token: SeTakeOwnershipPrivilege	7000	WMIC.exe
Token: SeLoadDriverPrivilege	7000	WMIC.exe
Token: SeSystemProfilePrivilege	7000	WMIC.exe
Token: SeSystemtimePrivilege	7000	WMIC.exe
Token: SeProfSingleProcessPrivilege	7000	WMIC.exe
Token: SeIncBasePriorityPrivilege	7000	WMIC.exe
Token: SeCreatePagefilePrivilege	7000	WMIC.exe
Token: SeBackupPrivilege	7000	WMIC.exe
Token: SeRestorePrivilege	7000	WMIC.exe
Token: SeShutdownPrivilege	7000	WMIC.exe
Token: SeDebugPrivilege	7000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7000	WMIC.exe
Token: SeRemoteShutdownPrivilege	7000	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1100	3712	Aventuria.exe	77
PID 3712 wrote to memory of 1100	3712	Aventuria.exe	77
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 3712 wrote to memory of 4548	3712	Aventuria.exe	80
PID 1100 wrote to memory of 4184	1100	cmd.exe	79
PID 1100 wrote to memory of 4184	1100	cmd.exe	79
PID 3712 wrote to memory of 3812	3712	Aventuria.exe	81
PID 3712 wrote to memory of 3812	3712	Aventuria.exe	81
PID 3712 wrote to memory of 492	3712	Aventuria.exe	83
PID 3712 wrote to memory of 492	3712	Aventuria.exe	83
PID 492 wrote to memory of 4636	492	cmd.exe	85
PID 492 wrote to memory of 4636	492	cmd.exe	85
PID 3712 wrote to memory of 2116	3712	Aventuria.exe	86
PID 3712 wrote to memory of 2116	3712	Aventuria.exe	86
PID 3712 wrote to memory of 2432	3712	Aventuria.exe	87
PID 3712 wrote to memory of 2432	3712	Aventuria.exe	87
PID 3712 wrote to memory of 3192	3712	Aventuria.exe	89
PID 3712 wrote to memory of 3192	3712	Aventuria.exe	89
PID 3712 wrote to memory of 3228	3712	Aventuria.exe	90
PID 3712 wrote to memory of 3228	3712	Aventuria.exe	90
PID 3712 wrote to memory of 4984	3712	Aventuria.exe	91
PID 3712 wrote to memory of 4984	3712	Aventuria.exe	91
PID 3712 wrote to memory of 788	3712	Aventuria.exe	92
PID 3712 wrote to memory of 788	3712	Aventuria.exe	92
PID 3712 wrote to memory of 1924	3712	Aventuria.exe	93
PID 3712 wrote to memory of 1924	3712	Aventuria.exe	93
PID 3712 wrote to memory of 1348	3712	Aventuria.exe	94
PID 3712 wrote to memory of 1348	3712	Aventuria.exe	94
PID 3712 wrote to memory of 1984	3712	Aventuria.exe	95
PID 3712 wrote to memory of 1984	3712	Aventuria.exe	95
PID 3712 wrote to memory of 1380	3712	Aventuria.exe	96
PID 3712 wrote to memory of 1380	3712	Aventuria.exe	96
PID 3712 wrote to memory of 3344	3712	Aventuria.exe	97
PID 3712 wrote to memory of 3344	3712	Aventuria.exe	97
PID 3712 wrote to memory of 332	3712	Aventuria.exe	98
PID 3712 wrote to memory of 332	3712	Aventuria.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
10272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Aventuria.exe
"C:\Users\Admin\AppData\Local\Temp\Aventuria.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4184
- C:\Users\Admin\AppData\Local\Temp\Aventuria.exe
  "C:\Users\Admin\AppData\Local\Temp\Aventuria.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1684 --field-trial-handle=1692,i,14502646583841954489,13982658521812047453,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\Aventuria.exe
  "C:\Users\Admin\AppData\Local\Temp\Aventuria.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --mojo-platform-channel-handle=1728 --field-trial-handle=1692,i,14502646583841954489,13982658521812047453,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3712 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3712 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2116
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2432
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3192
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3228
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4984
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1924
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1348
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1984
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3344
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:332
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:648
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1972
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4248
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2164
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1976
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1712
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1424
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5040
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2292
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2188
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3820
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1644
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4064
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5108
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5008
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:408
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5028
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:400
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1368
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4736
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3908
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5004
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4652
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4820
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2228
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3828
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4392
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2356
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4720
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3772
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:768
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3896
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5096
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:404
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:720
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4212
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4172
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2472
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1780
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1408
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:568
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4284
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3972
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1148
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2076
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3668
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1212
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3460
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3864
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3420
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:2284
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:8180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:8952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:7560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:4912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7000
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:7108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:10480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:10524
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:10740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:10780
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:10832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:10872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:11012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    PID:11052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:11224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3712 get ExecutablePath"
  2⤵
  PID:10552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3712 get ExecutablePath
    3⤵
    PID:10736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10760
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:10920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10968
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:10908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:10988
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:10840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:11112
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:11164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:11048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:11028
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:10380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:10396
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:10032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:10064
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:3800
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:72
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:7864
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:6300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:9708
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:7108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:4564
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:3600
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
  2⤵
  PID:8348
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:9316
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:9524
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:8440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:8220
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:7916
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:9364
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:7084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:6528
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:8968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
  2⤵
  PID:388
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
  2⤵
  PID:1360
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
    3⤵
    PID:8644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:8296
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:6724
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:5900
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:7128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:8932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:8748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:7900
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:7224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:8252
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:9616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:6120
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:9868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:5892
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:6964
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:11216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:7896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:11208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:720
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:11240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9044
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9748
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:7220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:5488
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:8972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:6856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9900
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:8196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9788
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:10576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9176
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:11224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9956
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:6748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:6852
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:6712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:7764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:11200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:5444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:5760
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:5436
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9916
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:5764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:8388
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:7260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:8948
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:8340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:7484
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:8344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:8512
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:6104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9888
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:5280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:8844
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:7876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
  2⤵
  PID:9816
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmd.exe
    3⤵
    - Kills process with taskkill
    PID:9408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
  2⤵
  PID:6820
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
    3⤵
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:9320
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:6696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
  2⤵
  PID:7040
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
    3⤵
    PID:5352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:6204
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:5528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:8224
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:10924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:10724
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:8488
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:8036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:3116
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:5796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""
  2⤵
  PID:9704
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"
    3⤵
    PID:8524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
  2⤵
  PID:10900
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
    3⤵
    PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
  2⤵
  PID:5480
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
    3⤵
    PID:8240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:6880
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:6032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:7644
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:10876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:10888
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:7624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
  2⤵
  PID:7680
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
    3⤵
    PID:5848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
  2⤵
  PID:6188
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
    3⤵
    PID:8456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
  2⤵
  PID:6932
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
    3⤵
    PID:11024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:5368
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:10840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
  2⤵
  PID:10832
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
    3⤵
    PID:9972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:11072
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:11060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
  2⤵
  PID:11164
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
    3⤵
    PID:9832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
  2⤵
  PID:6240
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
    3⤵
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\YH86YCoWWvgg_tezmp.ps1""
  2⤵
  PID:10392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\YH86YCoWWvgg_tezmp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:10820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10412
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11020
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11028
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10416
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11196
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7740
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6976
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6004
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:10504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8472
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1328
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7468
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6000
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:10812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6236
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7072
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:976
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3228
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3904
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10004
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4776
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7064
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11252
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2336
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9076
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:11232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9272
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9172
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3972
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5888
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10032
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9252
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:11212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5496
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9000
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5624
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9356
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1932
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10064
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1172
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7760
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9736
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9092
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3320
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6644
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:72
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9352
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:10780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9432
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8740
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7812
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5524
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6300
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7772
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5404
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8308
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5400
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:11216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8912
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1516
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5824
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5424
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9768
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:11200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1564
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7612
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7108
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:10808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:6544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:10484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6548
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9152
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\buT3G87f8BkF.vbs"
  2⤵
  PID:8376
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\buT3G87f8BkF.vbs
    3⤵
    PID:9616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:9228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
  2⤵
  PID:8244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "function Get-AntiVirusProduct {
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:10524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:9724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:7896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  PID:8540
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:7588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:7204
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:10764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:9672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:7800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupH3wWTP /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe /f"
  2⤵
  PID:7696
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupH3wWTP /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe /f
    3⤵
    PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupH3wWTP /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe\" /F /rl highest"
  2⤵
  PID:9392
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupH3wWTP /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe\" /F /rl highest
    3⤵
    PID:6684
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupH3wWTP /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe\" /F /rl highest
      4⤵
      Creates scheduled task(s)
      PID:9744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe\"""
  2⤵
  PID:7784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8620
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Aventuria.exe
      4⤵
      Views/modifies file attributes
      PID:10272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Aventuria.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:8864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh interface set interface "Ethernet" admin=disable"
  2⤵
  PID:3772
- - C:\Windows\system32\netsh.exe
    netsh interface set interface "Ethernet" admin=disable
    3⤵
    PID:4272
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get locale
  2⤵
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo wlan"
  2⤵
  PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan disconnect"
  2⤵
  PID:7796
- - C:\Windows\system32\netsh.exe
    netsh wlan disconnect
    3⤵
    PID:7872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:7800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
285872df93697c9dbd7059466be7d0c4

SHA1
6b10ca208c0f0717c65d4ac208107e2d2c967a4e

SHA256
7ca8cdac3673291712d99ca8d9a1f184c27c0097411a4eaa0fbcf96a5624ce31

SHA512
f8d704706f9e6bdc6b096a82ad4696f35b53a44406a1c311460c452055c03b3bcd91a815debf446dc5eaf94c28a429bfa02b92ba185cc0c472f978b80783398b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
62db805aec8c500e1ed7dab401b1ac83

SHA1
56ca25fe1fa92acfeb0585cfc589994a3836199d

SHA256
9807e6f9f6d5e91e1944be0a5174eb52264a5ab9bda70b56bb23de7477ecbf9d

SHA512
d22cfc4152c9e469c7025eebaaf2368b8ca490563e949088a8bfe27c07eba2dbef1864f51c237f9d678d0aba3012a3e88525c94f8d14a19ff2dd994f1f275375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c6aae9fb57ebd2ae201e8d174d820246

SHA1
58140d968de47bcf9c78938988a99369bbdb1f51

SHA256
bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

SHA512
5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\30130dbc-7a91-4d24-98b9-bbdc58341036.tmp.node

Filesize
151KB

MD5
52fab1ab5c60172bcb1c128969a780a6

SHA1
3ff58d8d13147af548fee9d9cbe41e93e0a1105d

SHA256
e5c02f5a9790570a8ca0af730a9c15ba11cdb6a88bff24c58da684d2b70f67f9

SHA512
88b49762fe07144c1a9f91192ba08e351c73bf320624485fed7f9033e29b447e5a794cef2eef80c2c012375409baeb6642a31e7d10ec73c3e1cd8b3b69febd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\3260c19f-377f-4666-9ef2-1bcebfef8134.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip

Filesize
2KB

MD5
16b9233298e461247dfecf3d3bf92fcd

SHA1
f3dfa04108180fb0a75302dc757c463d4f6cf954

SHA256
e570c79c4f1c31dfc2da4b0a1a46933a8af21d972a955c68f8e5439152488003

SHA512
c255218bb70a8297bb98114846b0b2a5955f1afb4211d884622b33f2237065cdd16753cdeb73196a890b4f8f53c438a5fed8cc0bcf2ff1b9bf4de76819afac6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YH86YCoWWvgg_tezmp.ps1

Filesize
728B

MD5
631622e03d65569ee90b741825cc51da

SHA1
ebab30ba3b41d2c72dc3ebd6978c0294d38fecac

SHA256
ca346aef0033a99b1355e6c18a27c7dca9d2f07fd5db85bb38d9d857069c8263

SHA512
9746958ca422d7a1bc383a1c895d07cad8d76eb00f49c5cff4f4040bb255c82a3ab862abcf659bfcb213865ed5fb148a334d6e930e776dbbcf9728a5681e4f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njbrg5p5.lnx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\buT3G87f8BkF.vbs

Filesize
130B

MD5
d1111fbbaef28413de4a0a64e0d54f2d

SHA1
5bbadc5c5d504dcba5509d34986125e8446e3830

SHA256
beed3a3f6edc1e1b73a3cafa55f16ba61d56c87b7506ae9c33eb630bcbaa3a01

SHA512
1196efb8579efc91105000afaac0b6c14f386aa29a64ddd88f9a2d6a980bd2eb8dd6a2e78457eb9e5614f9492d0e75342f01293c1a8341b153357f2d64c64af0

Download Submit
memory/10872-27-0x000001778D290000-0x000001778D2B2000-memory.dmp

Filesize
136KB

Download