1d9a3c8728d6868857aaa0d0817bcffab975fdaed769b2d70a750972280c8c72

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/app-64.7z
Size

82.3MB
MD5

cb1ba9cbec946e070330bf6b7ea9fcec
SHA1

7440ce7c460cc6e8bc485be748064cde35f0d178
SHA256

f3712d37b10e45146d0f2e60d7694e1e81339bff472dace653fc1d0b00089783
SHA512

0d31b8d2fe90ff4636a7eda96eac1809a1c88039781cb32c8d6d5b49e93f631287876f68694e238de07dfb23177526c75e369d3d4171ab24e96cfd28506556ae
SSDEEP

1572864:NJ39Kk9MaLcLAeydx32B8ceyIS7nqYdd6hIExeIg6q7BMn:Mk9MaLC//vP7nMxeIg6WMn

Score

8^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

chrome.exechrome.exechrome.exemsedge.exemsedge.exechrome.exemsedge.exemsedge.exemsedge.exe

pid process

4120 chrome.exe
1056 chrome.exe
4684 chrome.exe
612 msedge.exe
492 msedge.exe
1424 chrome.exe
5024 msedge.exe
6072 msedge.exe
6088 msedge.exe

pid	process
4120	chrome.exe
1056	chrome.exe
4684	chrome.exe
612	msedge.exe
492	msedge.exe
1424	chrome.exe
5024	msedge.exe
6072	msedge.exe
6088	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ReturnThief.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ReturnThief.exe

Executes dropped EXE 4 IoCs

Processes:

ReturnThief.exeReturnThief.exeReturnThief.exeReturnThief.exe

pid process

3140 ReturnThief.exe
1824 ReturnThief.exe
1128 ReturnThief.exe
6004 ReturnThief.exe

Loads dropped DLL 10 IoCs

Processes:

ReturnThief.exeReturnThief.exeReturnThief.exeReturnThief.exe

pid	process
3140	ReturnThief.exe
3140	ReturnThief.exe
3140	ReturnThief.exe
1824	ReturnThief.exe
1128	ReturnThief.exe
1128	ReturnThief.exe
1128	ReturnThief.exe
1128	ReturnThief.exe
1128	ReturnThief.exe
6004	ReturnThief.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates processes with tasklist 1 TTPs 8 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

880 tasklist.exe
4324 tasklist.exe
2780 tasklist.exe
3544 tasklist.exe
5944 tasklist.exe
4908 tasklist.exe
6052 tasklist.exe
824 tasklist.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
880	tasklist.exe
4324	tasklist.exe
2780	tasklist.exe
3544	tasklist.exe
5944	tasklist.exe
4908	tasklist.exe
6052	tasklist.exe
824	tasklist.exe

Detects videocard installed 1 TTPs 64 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
3080	WMIC.exe
376	WMIC.exe
3152	WMIC.exe
4192	WMIC.exe
3404	WMIC.exe
2328	WMIC.exe
5620	WMIC.exe
3032	WMIC.exe
6032	WMIC.exe
468	WMIC.exe
492	WMIC.exe
2608	WMIC.exe
5736	WMIC.exe
5752	WMIC.exe
5000	WMIC.exe
1216	WMIC.exe
2008	WMIC.exe
1556	WMIC.exe
2716	WMIC.exe
3132	WMIC.exe
5804	WMIC.exe
5980	WMIC.exe
2608	WMIC.exe
3820	WMIC.exe
5164	WMIC.exe
4192	WMIC.exe
1980	WMIC.exe
3744	WMIC.exe
1572	WMIC.exe
5988	WMIC.exe
3060	WMIC.exe
3680	WMIC.exe
4348	WMIC.exe
4304	WMIC.exe
4696	WMIC.exe
3092	WMIC.exe
4952	WMIC.exe
5992	WMIC.exe
5532	WMIC.exe
2264	WMIC.exe
4792	WMIC.exe
2532	WMIC.exe
4512	WMIC.exe
5748	WMIC.exe
4732	WMIC.exe
1840	WMIC.exe
4484	WMIC.exe
3664	WMIC.exe
5324	WMIC.exe
460	WMIC.exe
3980	WMIC.exe
492	WMIC.exe
1932	WMIC.exe
5944	WMIC.exe
5388	WMIC.exe
4484	WMIC.exe
1952	WMIC.exe
4328	WMIC.exe
5260	WMIC.exe
2424	WMIC.exe
1840	WMIC.exe
2848	WMIC.exe
460	WMIC.exe
1216	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2716	taskkill.exe
5604	taskkill.exe
5608	taskkill.exe
5652	taskkill.exe
5996	taskkill.exe
3588	taskkill.exe
5636	taskkill.exe
980	taskkill.exe
4524	taskkill.exe
5524	taskkill.exe
5820	taskkill.exe

Modifies registry class 2 IoCs

Processes:

7zFM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ReturnThief.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1824	ReturnThief.exe
1824	ReturnThief.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
828	powershell.exe
828	powershell.exe
828	powershell.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
4120	chrome.exe
4120	chrome.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
4964	msedge.exe
4964	msedge.exe
612	msedge.exe
612	msedge.exe
612	msedge.exe
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe
5636	powershell.exe
5636	powershell.exe
5636	powershell.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
5752	powershell.exe
5752	powershell.exe
5752	powershell.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
4476	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3256 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exemsedge.exe

pid process

4120 chrome.exe
4120 chrome.exe
4120 chrome.exe
612 msedge.exe
612 msedge.exe
612 msedge.exe
612 msedge.exe

pid	process
3256	7zFM.exe

pid	process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
612	msedge.exe
612	msedge.exe
612	msedge.exe
612	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	3256	7zFM.exe
Token: 35	3256	7zFM.exe
Token: SeSecurityPrivilege	3256	7zFM.exe
Token: SeIncreaseQuotaPrivilege	4940	WMIC.exe
Token: SeSecurityPrivilege	4940	WMIC.exe
Token: SeTakeOwnershipPrivilege	4940	WMIC.exe
Token: SeLoadDriverPrivilege	4940	WMIC.exe
Token: SeSystemProfilePrivilege	4940	WMIC.exe
Token: SeSystemtimePrivilege	4940	WMIC.exe
Token: SeProfSingleProcessPrivilege	4940	WMIC.exe
Token: SeIncBasePriorityPrivilege	4940	WMIC.exe
Token: SeCreatePagefilePrivilege	4940	WMIC.exe
Token: SeBackupPrivilege	4940	WMIC.exe
Token: SeRestorePrivilege	4940	WMIC.exe
Token: SeShutdownPrivilege	4940	WMIC.exe
Token: SeDebugPrivilege	4940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4940	WMIC.exe
Token: SeRemoteShutdownPrivilege	4940	WMIC.exe
Token: SeUndockPrivilege	4940	WMIC.exe
Token: SeManageVolumePrivilege	4940	WMIC.exe
Token: 33	4940	WMIC.exe
Token: 34	4940	WMIC.exe
Token: 35	4940	WMIC.exe
Token: 36	4940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4940	WMIC.exe
Token: SeSecurityPrivilege	4940	WMIC.exe
Token: SeTakeOwnershipPrivilege	4940	WMIC.exe
Token: SeLoadDriverPrivilege	4940	WMIC.exe
Token: SeSystemProfilePrivilege	4940	WMIC.exe
Token: SeSystemtimePrivilege	4940	WMIC.exe
Token: SeProfSingleProcessPrivilege	4940	WMIC.exe
Token: SeIncBasePriorityPrivilege	4940	WMIC.exe
Token: SeCreatePagefilePrivilege	4940	WMIC.exe
Token: SeBackupPrivilege	4940	WMIC.exe
Token: SeRestorePrivilege	4940	WMIC.exe
Token: SeShutdownPrivilege	4940	WMIC.exe
Token: SeDebugPrivilege	4940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4940	WMIC.exe
Token: SeRemoteShutdownPrivilege	4940	WMIC.exe
Token: SeUndockPrivilege	4940	WMIC.exe
Token: SeManageVolumePrivilege	4940	WMIC.exe
Token: 33	4940	WMIC.exe
Token: 34	4940	WMIC.exe
Token: 35	4940	WMIC.exe
Token: 36	4940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exechrome.exemsedge.exe

pid process

3256 7zFM.exe
3256 7zFM.exe
4120 chrome.exe
612 msedge.exe

pid	process
3256	7zFM.exe
3256	7zFM.exe
4120	chrome.exe
612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ReturnThief.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3140 wrote to memory of 468	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 468	3140	ReturnThief.exe	cmd.exe
PID 468 wrote to memory of 4940	468	cmd.exe	WMIC.exe
PID 468 wrote to memory of 4940	468	cmd.exe	WMIC.exe
PID 3140 wrote to memory of 4332	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 4332	3140	ReturnThief.exe	cmd.exe
PID 4332 wrote to memory of 1636	4332	cmd.exe	WMIC.exe
PID 4332 wrote to memory of 1636	4332	cmd.exe	WMIC.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1128	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1824	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 1824	3140	ReturnThief.exe	ReturnThief.exe
PID 3140 wrote to memory of 4912	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 4912	3140	ReturnThief.exe	cmd.exe
PID 4912 wrote to memory of 4324	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 4324	4912	cmd.exe	tasklist.exe
PID 3140 wrote to memory of 3932	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 3932	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 3920	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 3920	3140	ReturnThief.exe	cmd.exe
PID 3932 wrote to memory of 1148	3932	cmd.exe	WMIC.exe
PID 3932 wrote to memory of 1148	3932	cmd.exe	WMIC.exe
PID 3932 wrote to memory of 2772	3932	cmd.exe	find.exe
PID 3932 wrote to memory of 2772	3932	cmd.exe	find.exe
PID 3920 wrote to memory of 1376	3920	cmd.exe	where.exe
PID 3920 wrote to memory of 1376	3920	cmd.exe	where.exe
PID 3140 wrote to memory of 4788	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 4788	3140	ReturnThief.exe	cmd.exe
PID 4788 wrote to memory of 3404	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3404	4788	cmd.exe	WMIC.exe
PID 3140 wrote to memory of 3568	3140	ReturnThief.exe	cmd.exe
PID 3140 wrote to memory of 3568	3140	ReturnThief.exe	cmd.exe
PID 3568 wrote to memory of 1264	3568	cmd.exe	powershell.exe
PID 3568 wrote to memory of 1264	3568	cmd.exe	powershell.exe
PID 3140 wrote to memory of 2908	3140	ReturnThief.exe	cmd.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3256

C:\Users\Admin\Desktop\ReturnThief.exe
"C:\Users\Admin\Desktop\ReturnThief.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Users\Admin\Desktop\ReturnThief.exe
  "C:\Users\Admin\Desktop\ReturnThief.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1788,i,11862508785485277614,11053649362952151114,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1128
- C:\Users\Admin\Desktop\ReturnThief.exe
  "C:\Users\Admin\Desktop\ReturnThief.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --mojo-platform-channel-handle=2064 --field-trial-handle=1788,i,11862508785485277614,11053649362952151114,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1148
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2908
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3524
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:496
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3288
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:932
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2176
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4828
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2716
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4192
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1032
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:232
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9223 --profile-directory=Default --window-position=-2400,-2400
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xa0,0x124,0x7ffe09d8cc40,0x7ffe09d8cc4c,0x7ffe09d8cc58
    3⤵
    PID:784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2104,i,13650268300545771157,4712734757556996560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:2
    3⤵
    PID:2792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,13650268300545771157,4712734757556996560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    PID:3564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,13650268300545771157,4712734757556996560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
    3⤵
    PID:3936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,13650268300545771157,4712734757556996560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3372,i,13650268300545771157,4712734757556996560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,13650268300545771157,4712734757556996560,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4452
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4280
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5084
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1724
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4340
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4324
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2584
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5084
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3480
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:116
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --window-position=-2400,-2400
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe06bb46f8,0x7ffe06bb4708,0x7ffe06bb4718
    3⤵
    PID:916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,10451978017699504062,16345906705241982683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,10451978017699504062,16345906705241982683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,10451978017699504062,16345906705241982683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
    3⤵
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,10451978017699504062,16345906705241982683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,10451978017699504062,16345906705241982683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,10451978017699504062,16345906705241982683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:6072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,10451978017699504062,16345906705241982683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:6088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5284
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5392
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5432
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5844
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5892
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5368
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5428
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5560
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5836
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5860
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5908
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:6064
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5284
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:792
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1576
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5660
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5840
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:6008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:6044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:964
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:6056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2344
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4160
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4552
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5448
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5704
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5844
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5280
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4932
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2328
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
  2⤵
  PID:5312
- - C:\Windows\system32\where.exe
    where /r . *.sqlite
    3⤵
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
  2⤵
  PID:932
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
  2⤵
  PID:5404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
  2⤵
  PID:2716
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:5524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
  2⤵
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:5608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
  2⤵
  PID:5676
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:5820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
  2⤵
  PID:5816
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:5652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5712
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1140
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:6036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
  2⤵
  PID:4512
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
  2⤵
  PID:5328
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:5996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2592
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM EpicGamesLauncher.exe /F"
  2⤵
  PID:5744
- - C:\Windows\system32\taskkill.exe
    taskkill /IM EpicGamesLauncher.exe /F
    3⤵
    - Kills process with taskkill
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM javaw.exe /F"
  2⤵
  PID:1608
- - C:\Windows\system32\taskkill.exe
    taskkill /IM javaw.exe /F
    3⤵
    - Kills process with taskkill
    PID:5604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5888
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM Steam.exe /F"
  2⤵
  PID:3600
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:5636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:5928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5372
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:6028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3476
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3032
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:60
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5168
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5348
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:6116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3296
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5784
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5600
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5508
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:5744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5596
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4192
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5352
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5136
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:6036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2608
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5288
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5324
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5140
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5944
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:6020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5508
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5416
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3176
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:6016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:536
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:6032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5336
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3568
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:6028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4832
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:432
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:6132
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:6004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1264
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:5772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5732
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:6056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5484
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1724
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3496
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2824
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2716
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:6016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2108
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3308
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2772
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3972
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5484
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:648
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3316
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2564
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:6116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5572
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5268
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5408
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:5856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2148
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5352
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4952
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3020
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:6128
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1160
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5944
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2732
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4148
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2704
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2636
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3836
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2608
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:60
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1348
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4260
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3680
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5768
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:6016
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4488
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2188
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5024
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5864
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1332
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:6120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:6132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4160
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:716
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:5784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5852
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4240
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5952
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5184
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5536
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:6056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2892
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4008
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3496
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2344
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5456
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5460
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:6032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:6040
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5932
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1016
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:6112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:60
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4556
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3636
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:472
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5636
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:6016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2924
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3068
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2580
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5944
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3948
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Users\Admin\Desktop\ReturnThief.exe
"C:\Users\Admin\Desktop\ReturnThief.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4488
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:6048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3356
- C:\Users\Admin\Desktop\ReturnThief.exe
  "C:\Users\Admin\Desktop\ReturnThief.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1892,i,12147657738589495253,13930276375249223466,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:5228
- C:\Users\Admin\Desktop\ReturnThief.exe
  "C:\Users\Admin\Desktop\ReturnThief.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --mojo-platform-channel-handle=1920 --field-trial-handle=1892,i,12147657738589495253,13930276375249223466,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1720
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3836
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5164
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  PID:4120
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3888
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5772
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eed7ba7eabd89257c6b6267744683c5e

SHA1
4b303de4a974e06435e15d19717907546a55dbfb

SHA256
287b00b5565b1e2892c242c71f6636784c0bcf011b3a5c3c8f88237e81dffc84

SHA512
bf1903f06dcff10671fdbc6e7a8225a1233ef2c77db2381fc6dc199a1f1f444f7f67c6726d77ae43c91e7087b64568ec8ffbe4bf69de45e893da86cbdd8deddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06d128ef8a80cd365f490ed2447a5a7f

SHA1
ed1811bf7dd85564f82621055da91568d64d0b7c

SHA256
4bfdd80b65b40cd09840ef9371a4827ac0206647b120e6cf6dfcd60f117531a8

SHA512
19430eac805cf93d07a731fda9088de32fb520a698bf1f5dcf5b1bad50d68499fbc32ccddfe48a45396dca048bd038439d88294c1eeb71dc017f2895ceab8fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3624bb0640092b8f471b7a392ab25ad7

SHA1
a9180c2046e90104912751b3c40928dcedcc51f7

SHA256
2b46b4116daaccbe911874fc47c20b5e11cccc1a107ef472ccc195912c59cdae

SHA512
b6acd0086c95b0083dedc2f3e7cd7302a0c69603af90f2aced768f412a3c46e0ea76451d7bb84288c79f2e45ae608a2aa28fb842056711df6f19682781be360e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242b436-f383-4073-8998-8dea94694de0.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jkyqinq.pax.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e660829f-d5f1-4040-a585-a536a8816e24.tmp.node

Filesize
1.6MB

MD5
16e02f82943a647ce5bcd96479d93299

SHA1
694c7da9c8b6857979bdd9c640a27603ab620546

SHA256
7ae0ead9b9a3270ab7cab464fbd9fb35bd04ea3e3828115084040934dbd1dc0f

SHA512
ab12563d0502ca21fa037657d42e404a5ac6800751f5cca7d1cc3675b3689fe7010d9027d5515162edd7d13fb89f7d9336cbdbfe50651dcf3314c12a51ce93b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\k9slnss95q05\Cookies\Chrome.txt

Filesize
251B

MD5
c322ff8283545c83e48b7e50c773f5e8

SHA1
29f8c589b07ebd9ac136432b28f680ec583b20b3

SHA256
f26b9aaf266f777bbb06b7aa0273c676ceec6c0acdaa47ec4a9a3b95fc551e8a

SHA512
28ef34e93a9390a46c451f77fd5605b2d51af1cacd5930c2490e4297a3a3d4833e48be53dec76353e37082e2a2ab2f3858a6de2b326e73bfe979e98c02668c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords_0.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\Desktop\chrome_100_percent.pak

Filesize
124KB

MD5
acd0fa0a90b43cd1c87a55a991b4fac3

SHA1
17b84e8d24da12501105b87452f86bfa5f9b1b3c

SHA256
ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b

SHA512
3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774

Download Submit
C:\Users\Admin\Desktop\chrome_200_percent.pak

Filesize
173KB

MD5
4610337e3332b7e65b73a6ea738b47df

SHA1
8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b

SHA256
c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c

SHA512
039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51

Download Submit
C:\Users\Admin\Desktop\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\Desktop\ffmpeg.dll

Filesize
2.7MB

MD5
a007299c49fa50aeff594655859780ae

SHA1
d202f1f617023763a0e9418878e8ecac96be9fd4

SHA256
b78f0036621ad1d5833289f2ad509963ef78f1a89a3c7df0f1370fd2d35a2804

SHA512
444c4baa1e1d941bd04f78184cec519c6eb53a83fbc3aa3ea30522bffc9ecde73ebe7b910c1a37c345429298ada3c0ffcb3e3849e21b2009487b5cd1a02cb2a9

Download Submit
C:\Users\Admin\Desktop\icudtl.dat

Filesize
10.1MB

MD5
2134e5dbc46fb1c46eac0fe1af710ec3

SHA1
dbecf2d193ae575aba4217194d4136bd9291d4db

SHA256
ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41

SHA512
b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb

Download Submit
C:\Users\Admin\Desktop\libEGL.dll

Filesize
469KB

MD5
ca5bb0794b7700601e9438283d458665

SHA1
7fcf090b19820b9450937be800575c526448b581

SHA256
4a8be3b4d9fe790efdce38cff8f312a2f8276908d6703e0c6c37818e217cf1e3

SHA512
36ebab858fe7e014837548575389e7df2e86676888e4a9039c736d0f2e6463102e68989b794d949ddb16d9bcce43ce55737fcf2a4b09b1667bf968a9540e9f32

Download Submit
C:\Users\Admin\Desktop\libGLESv2.dll

Filesize
7.3MB

MD5
05b585464f18fe0e3bddb20527697d66

SHA1
8bcec2f0b409afa9ff054e25f3ce85eb9bd50010

SHA256
0bb7c6c08b569c1d2de90a40e6c142591e160a7c6cb15d21807f3404a48c4287

SHA512
f680ab9c3070f443c7359bb3f0c2032f5c58c88c7823e4592e8212ce8815ea5f463c86df113f5320944c62d3cb4e8d45b9b4dcaadccc1ac9bf203ae4bb52083c

Download Submit
C:\Users\Admin\Desktop\locales\en-US.pak

Filesize
338KB

MD5
5e3813e616a101e4a169b05f40879a62

SHA1
615e4d94f69625dda81dfaec7f14e9ee320a2884

SHA256
4d207c5c202c19c4daca3fddb2ae4f747f943a8faf86a947eef580e2f2aee687

SHA512
764a271a9cfb674cce41ee7aed0ad75f640ce869efd3c865d1b2d046c9638f4e8d9863a386eba098f5dcedd20ea98bad8bca158b68eb4bdd606d683f31227594

Download Submit
C:\Users\Admin\Desktop\resources.pak

Filesize
5.0MB

MD5
31c7d4b11ad95dfe539dd098e0fab736

SHA1
5418682d939ce8485ecc9125b872c14ffec662c2

SHA256
a251019eb08f1e695e935d224544bda37c5ae092ba68a89fa1fe3bd19bde4f5c

SHA512
f868a4afa4e0d5c561873d2a728e267f98da2df3fb90966e5736d496b6a24e71769a02b0346b27b7dcce11cbe07248e309f50a89977dc8e5bbc06d6cc31bf738

Download Submit
C:\Users\Admin\Desktop\v8_context_snapshot.bin

Filesize
574KB

MD5
146e284750735ef4798527dc1cd0e741

SHA1
6408985b7d05c768a62bcb912234f14e1898ffdb

SHA256
3820e8fa1077d02606fea8e1b3a9ca4bf7f4a71d0569d9a8ea9ee7a009d0ce80

SHA512
46824df5d20e02fb72c3efd07bee6d832b1ab78c0163688fa84edb831cbfbef2dde12ba9da01f9dd49c4008bd3862a95699a2f6d55b8d4b3165976d3851c7278

Download Submit
C:\Users\Admin\Desktop\vk_swiftshader.dll

Filesize
5.1MB

MD5
750cbdfb01943e28e08708183ec208b5

SHA1
1bee0cd3d0970834b2a47daf384354f243fd1ee0

SHA256
a6d295dcc3afcb55aa79eac5f896bceb15ccb2b798db3bb076ceeea78073791a

SHA512
dbfdf76f40558ce2f23ca315b8719e283f0f22f46e733f37c2ae237fdafd23cf7962f36547ba1bb2d5b219de11546c3dc06859fac498a7da97df41018c0d80c4

Download Submit
\??\pipe\crashpad_4120_EEIUUQVNHWGFXHUG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1264-194-0x000002713CE00000-0x000002713CE22000-memory.dmp

Filesize
136KB

Download