082f88237890f5aa9e679949411597fba171d25a3bb16e95cfd959ca3f13c1de

Analysis

max time kernel
35s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
20/07/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HowlPredictor.exe
Size

164.7MB
MD5

df40d1dfb877975f0ea96f54e8db1ee9
SHA1

363eb72716f6d8a08b4d6737ecef6a672a4f361f
SHA256

183c35335302f8b64a3e892c609e69ecdf3183a0dd9638a01a631205502b4b77
SHA512

5a6e3d710eb8b60c77a475a6e66bbc4bf60b202fdaea9a3f68c43d6a4e5ada6fe5d0f424aee5a92862b5def12c52f80b4d517a07edf020bed22102a859215f02
SSDEEP

1572864:a3lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:vPvt1x2z5m1ij

Score

7^/10

defense_evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HowlPredictor.exe	HowlPredictor.exe

Loads dropped DLL 2 IoCs

pid	Process
104	HowlPredictor.exe
104	HowlPredictor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupz3x8BD = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\HowlPredictor.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
20	discord.com
16	raw.githubusercontent.com
24	discord.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
23	discord.com
25	discord.com
31	discord.com
1	discord.com
18	discord.com
21	raw.githubusercontent.com
26	discord.com
4	raw.githubusercontent.com
17	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
4	ipinfo.io

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	HowlPredictor.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5712	cmd.exe
5676	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
4740	powershell.exe
5644	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HowlPredictor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	HowlPredictor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	HowlPredictor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	HowlPredictor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	HowlPredictor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HowlPredictor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HowlPredictor.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
7144	WMIC.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
104	HowlPredictor.exe
104	HowlPredictor.exe
104	HowlPredictor.exe
104	HowlPredictor.exe
104	HowlPredictor.exe
104	HowlPredictor.exe
2904	fastlist.exe
2904	fastlist.exe
3960	fastlist.exe
3960	fastlist.exe
2060	fastlist.exe
2060	fastlist.exe
3360	fastlist.exe
3360	fastlist.exe
4672	fastlist.exe
4672	fastlist.exe
1672	fastlist.exe
1672	fastlist.exe
4568	fastlist.exe
4568	fastlist.exe
4164	fastlist.exe
4164	fastlist.exe
2020	fastlist.exe
3780	fastlist.exe
3780	fastlist.exe
2020	fastlist.exe
3972	fastlist.exe
3972	fastlist.exe
2116	fastlist.exe
2116	fastlist.exe
4892	fastlist.exe
892	fastlist.exe
892	fastlist.exe
4892	fastlist.exe
1372	fastlist.exe
1372	fastlist.exe
2716	fastlist.exe
2716	fastlist.exe
2752	fastlist.exe
2752	fastlist.exe
1808	fastlist.exe
1808	fastlist.exe
988	fastlist.exe
988	fastlist.exe
2032	fastlist.exe
2032	fastlist.exe
3912	fastlist.exe
3912	fastlist.exe
3556	fastlist.exe
3556	fastlist.exe
1988	fastlist.exe
1988	fastlist.exe
4292	fastlist.exe
4292	fastlist.exe
3956	fastlist.exe
3956	fastlist.exe
480	fastlist.exe
480	fastlist.exe
2760	fastlist.exe
888	fastlist.exe
2760	fastlist.exe
888	fastlist.exe
3132	fastlist.exe
3240	fastlist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	104	HowlPredictor.exe
Token: SeCreatePagefilePrivilege	104	HowlPredictor.exe
Token: SeIncreaseQuotaPrivilege	1444	WMIC.exe
Token: SeSecurityPrivilege	1444	WMIC.exe
Token: SeTakeOwnershipPrivilege	1444	WMIC.exe
Token: SeLoadDriverPrivilege	1444	WMIC.exe
Token: SeSystemProfilePrivilege	1444	WMIC.exe
Token: SeSystemtimePrivilege	1444	WMIC.exe
Token: SeProfSingleProcessPrivilege	1444	WMIC.exe
Token: SeIncBasePriorityPrivilege	1444	WMIC.exe
Token: SeCreatePagefilePrivilege	1444	WMIC.exe
Token: SeBackupPrivilege	1444	WMIC.exe
Token: SeRestorePrivilege	1444	WMIC.exe
Token: SeShutdownPrivilege	1444	WMIC.exe
Token: SeDebugPrivilege	1444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1444	WMIC.exe
Token: SeRemoteShutdownPrivilege	1444	WMIC.exe
Token: SeUndockPrivilege	1444	WMIC.exe
Token: SeManageVolumePrivilege	1444	WMIC.exe
Token: 33	1444	WMIC.exe
Token: 34	1444	WMIC.exe
Token: 35	1444	WMIC.exe
Token: 36	1444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1444	WMIC.exe
Token: SeSecurityPrivilege	1444	WMIC.exe
Token: SeTakeOwnershipPrivilege	1444	WMIC.exe
Token: SeLoadDriverPrivilege	1444	WMIC.exe
Token: SeSystemProfilePrivilege	1444	WMIC.exe
Token: SeSystemtimePrivilege	1444	WMIC.exe
Token: SeProfSingleProcessPrivilege	1444	WMIC.exe
Token: SeIncBasePriorityPrivilege	1444	WMIC.exe
Token: SeCreatePagefilePrivilege	1444	WMIC.exe
Token: SeBackupPrivilege	1444	WMIC.exe
Token: SeRestorePrivilege	1444	WMIC.exe
Token: SeShutdownPrivilege	1444	WMIC.exe
Token: SeDebugPrivilege	1444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1444	WMIC.exe
Token: SeRemoteShutdownPrivilege	1444	WMIC.exe
Token: SeUndockPrivilege	1444	WMIC.exe
Token: SeManageVolumePrivilege	1444	WMIC.exe
Token: 33	1444	WMIC.exe
Token: 34	1444	WMIC.exe
Token: 35	1444	WMIC.exe
Token: 36	1444	WMIC.exe
Token: SeShutdownPrivilege	104	HowlPredictor.exe
Token: SeCreatePagefilePrivilege	104	HowlPredictor.exe
Token: SeIncreaseQuotaPrivilege	6856	WMIC.exe
Token: SeSecurityPrivilege	6856	WMIC.exe
Token: SeTakeOwnershipPrivilege	6856	WMIC.exe
Token: SeLoadDriverPrivilege	6856	WMIC.exe
Token: SeSystemProfilePrivilege	6856	WMIC.exe
Token: SeSystemtimePrivilege	6856	WMIC.exe
Token: SeProfSingleProcessPrivilege	6856	WMIC.exe
Token: SeIncBasePriorityPrivilege	6856	WMIC.exe
Token: SeCreatePagefilePrivilege	6856	WMIC.exe
Token: SeBackupPrivilege	6856	WMIC.exe
Token: SeRestorePrivilege	6856	WMIC.exe
Token: SeShutdownPrivilege	6856	WMIC.exe
Token: SeDebugPrivilege	6856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6856	WMIC.exe
Token: SeRemoteShutdownPrivilege	6856	WMIC.exe
Token: SeUndockPrivilege	6856	WMIC.exe
Token: SeManageVolumePrivilege	6856	WMIC.exe
Token: 33	6856	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 104 wrote to memory of 2904	104	HowlPredictor.exe	81
PID 104 wrote to memory of 2904	104	HowlPredictor.exe	81
PID 104 wrote to memory of 2904	104	HowlPredictor.exe	81
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 1540	104	HowlPredictor.exe	83
PID 104 wrote to memory of 5040	104	HowlPredictor.exe	84
PID 104 wrote to memory of 5040	104	HowlPredictor.exe	84
PID 104 wrote to memory of 2256	104	HowlPredictor.exe	85
PID 104 wrote to memory of 2256	104	HowlPredictor.exe	85
PID 2256 wrote to memory of 1444	2256	cmd.exe	87
PID 2256 wrote to memory of 1444	2256	cmd.exe	87
PID 104 wrote to memory of 2060	104	HowlPredictor.exe	89
PID 104 wrote to memory of 2060	104	HowlPredictor.exe	89
PID 104 wrote to memory of 2060	104	HowlPredictor.exe	89
PID 104 wrote to memory of 3360	104	HowlPredictor.exe	90
PID 104 wrote to memory of 3360	104	HowlPredictor.exe	90
PID 104 wrote to memory of 3360	104	HowlPredictor.exe	90
PID 104 wrote to memory of 1672	104	HowlPredictor.exe	91
PID 104 wrote to memory of 1672	104	HowlPredictor.exe	91
PID 104 wrote to memory of 1672	104	HowlPredictor.exe	91
PID 104 wrote to memory of 4672	104	HowlPredictor.exe	92
PID 104 wrote to memory of 4672	104	HowlPredictor.exe	92
PID 104 wrote to memory of 4672	104	HowlPredictor.exe	92
PID 104 wrote to memory of 3960	104	HowlPredictor.exe	93
PID 104 wrote to memory of 3960	104	HowlPredictor.exe	93
PID 104 wrote to memory of 3960	104	HowlPredictor.exe	93
PID 104 wrote to memory of 3956	104	HowlPredictor.exe	95
PID 104 wrote to memory of 3956	104	HowlPredictor.exe	95
PID 104 wrote to memory of 3956	104	HowlPredictor.exe	95
PID 104 wrote to memory of 480	104	HowlPredictor.exe	96
PID 104 wrote to memory of 480	104	HowlPredictor.exe	96
PID 104 wrote to memory of 480	104	HowlPredictor.exe	96
PID 104 wrote to memory of 3780	104	HowlPredictor.exe	97
PID 104 wrote to memory of 3780	104	HowlPredictor.exe	97
PID 104 wrote to memory of 3780	104	HowlPredictor.exe	97
PID 104 wrote to memory of 2032	104	HowlPredictor.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5504	attrib.exe

C:\Users\Admin\AppData\Local\Temp\HowlPredictor.exe
"C:\Users\Admin\AppData\Local\Temp\HowlPredictor.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops autorun.inf file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:104
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\HowlPredictor.exe
  "C:\Users\Admin\AppData\Local\Temp\HowlPredictor.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\afistularan" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1692 --field-trial-handle=1688,i,9100272206239929566,12737916569668637730,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\HowlPredictor.exe
  "C:\Users\Admin\AppData\Local\Temp\HowlPredictor.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\afistularan" --mojo-platform-channel-handle=1880 --field-trial-handle=1688,i,9100272206239929566,12737916569668637730,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=104 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=104 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3360
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:480
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:988
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:808
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3416
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3564
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:556
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:892
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3428
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:864
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:888
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5104
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4668
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:840
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:972
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:944
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:2152
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:6876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:6920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:3632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:6888
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:6904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:7008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:7052
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:7060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:7104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:7144
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:7152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:4780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:5996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    PID:3780
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=104 get ExecutablePath"
  2⤵
  PID:1808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=104 get ExecutablePath
    3⤵
    PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:6352
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:5688
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:5192
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:6316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:5280
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:6212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:1440
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:6344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:6500
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:808
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:5488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:3320
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:3260
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:5348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:5212
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:4624
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:4520
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:1776
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:5848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)""
  2⤵
  PID:5808
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)"
    3⤵
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:3976
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:3036
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:3168
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:6004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:6688
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:6100
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
    3⤵
    PID:5888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
  2⤵
  PID:6192
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
    3⤵
    PID:5204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:5664
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
  2⤵
  PID:972
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
    3⤵
    PID:6780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:6736
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
  2⤵
  PID:6800
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
    3⤵
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:2348
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:6228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:5296
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:6436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:5780
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:6272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:6796
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:6812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:6324
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
  2⤵
  PID:6424
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
    3⤵
    PID:6456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:5724
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
  2⤵
  PID:5044
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
    3⤵
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:5728
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:6392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:5568
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:1256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:6756
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:6464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
  2⤵
  PID:6924
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
  2⤵
  PID:3668
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
    3⤵
    PID:5652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
  2⤵
  PID:5640
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
    3⤵
    PID:6888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:6904
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:7092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
  2⤵
  PID:7064
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
    3⤵
    PID:7040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
  2⤵
  PID:7128
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
    3⤵
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
  2⤵
  PID:5356
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
    3⤵
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\lqKFoQNA3GD1_tezmp.ps1""
  2⤵
  PID:5944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\lqKFoQNA3GD1_tezmp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5644
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5764
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:964
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3272
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4720
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3784
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3972
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6160
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:464
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5180
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3424
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5168
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6204
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5352
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6172
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5264
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5228
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5216
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:844
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5304
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6296
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4160
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6352
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5324
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5140
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6380
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6320
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5468
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5280
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1408
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3556
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5408
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:832
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6496
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5592
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5320
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6356
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4296
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6372
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:808
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5492
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6120
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6480
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6132
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5436
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5348
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5428
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6640
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5596
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5212
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5508
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5176
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6136
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:6124
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:3564
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5300
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:5916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:5460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
  2⤵
  PID:5104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "function Get-AntiVirusProduct {
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  PID:2224
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:6672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:2620
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupz3x8BD /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe /f"
  2⤵
  PID:964
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupz3x8BD /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe /f
    3⤵
    - Adds Run key to start application
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupz3x8BD /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe\" /F /rl highest"
  2⤵
  PID:7068
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupz3x8BD /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe\" /F /rl highest
    3⤵
    PID:1232
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupz3x8BD /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe\" /F /rl highest
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe\"""
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  PID:5712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe\""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5676
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HowlPredictor.exe
      4⤵
      Views/modifies file attributes
      PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\HowlPredictor.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4740
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ps-list\fastlist.exe
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:7052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:6820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:6156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e5843696d70df783161968b9f9e1759

SHA1
6e7ab4a749b553ff66e8914563ca9f98cabe3ecd

SHA256
51f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719

SHA512
5b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d62e895-911c-4cdf-919e-2058825504e3.tmp.node

Filesize
153KB

MD5
3bfe83529c7a61766ef1e4a4659ad703

SHA1
90b00f25bfa7ff48a5ff796c5858fd62101f7829

SHA256
2e0d62f5c2aea1c38f9f728f2c7bba4009c54d7afb5eaa61959f1916204f14eb

SHA512
d0b936a5611574cc70ff44f8a9dc2c7d68c3705506ba993665a6a8bdd694d61d77fcc877be5f9341181f6eb222883d3f5c96d01b714452227b1c09164135b945

Download Submit
C:\Users\Admin\AppData\Local\Temp\97385662-975f-4a15-961d-bc845ac3b666.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_194.zip

Filesize
2KB

MD5
200626f6055f789164c6d43effa81092

SHA1
d5b68534b56286ca38b3330e97a4ea15146a0747

SHA256
53b64a3163961ba6e3a8250ed39296c88a8f9a225697c71a245e6db10f7701c9

SHA512
4b4148e8074996024bcafc57f92cc3f10512f334a8d20c8685475264ec225929d292dce98f2559fa05f966f84ad1d9276a8489af6d76a37a71fc0b3fd157b220

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mhi5qd3t.qqf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqKFoQNA3GD1_tezmp.ps1

Filesize
728B

MD5
e5734ca5dc35e6e2a3fc3adcf452789b

SHA1
0aa0bbc94674cce369bbf5f7d832ed052b202deb

SHA256
666022bf6d888afc712dd3abe894d0e645e38ecd9898430b0bd05824e7390bc4

SHA512
70908bfd0848037769b55a48efd05f426de0cdb239d5771fb46ac1d06ab8a282c012791ddd95bafeeda3c2229066996704020ccd3f8635fddb326aacf130c53d

Download Submit
memory/5996-115-0x000002C0750E0000-0x000002C075102000-memory.dmp

Filesize
136KB

Download