kinsing | 894c046b185fff2c40af6afd117148e54b830383224f387ed2f389c0556fcf92

General

Target

Zero_Loader.exe
Size

51.3MB
MD5

0216e67c988fe280add3a09e262dac03
SHA1

4c0a6dec8c8cd2745c5306c5e660afe39263c5b0
SHA256

a5fd77cf9ba05e9c133f773665a66fc84cd8d50e11949fd9d578836dc2e4222e
SHA512

1eeab94cfd5d3570d840e39366eca900fe16763e5b2a2d499a6defd521cf2c95b4f01fcbd7cd1c9bc70bdf9b7f3480e5372d908530dcd01743a87e1e245626ee
SSDEEP

786432:fMguj8Q4VfvIqFTrYI2mkZlNc2cqmDAZUU2nE2:fiAQIHIkHb2pZU98ZyE2

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Blocklisted process makes network request 6 IoCs

Processes:

cmd.exepowershell.exe

flow pid process

41 4796 cmd.exe
44 4796 cmd.exe
47 4796 cmd.exe
49 4796 cmd.exe
51 4796 cmd.exe
5 3112 powershell.exe

flow	pid	process
41	4796	cmd.exe
44	4796	cmd.exe
47	4796	cmd.exe
49	4796	cmd.exe
51	4796	cmd.exe
5	3112	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zero_Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	Zero_Loader.exe

Drops startup file 2 IoCs

Processes:

Zero_Loader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Zero_Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Zero_Loader.exe

Loads dropped DLL 2 IoCs

Processes:

Zero_Loader.exe

pid process

4556 Zero_Loader.exe
4556 Zero_Loader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4556	Zero_Loader.exe
4556	Zero_Loader.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

Zero_Loader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\Save-vNnG6Dihrq\FilesGrabber\desktop.ini	Zero_Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Save-vNnG6Dihrq\FilesGrabber\desktop.ini	Zero_Loader.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
16 api.ipify.org
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

3368 WMIC.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1860 WMIC.exe

flow	ioc
15	api.ipify.org
16	api.ipify.org

pid	process
3368	WMIC.exe

pid	process
1860	WMIC.exe

Modifies registry key 1 TTPs 37 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3644	reg.exe
4256	reg.exe
4488	reg.exe
1856	reg.exe
780	reg.exe
3984	reg.exe
1512	reg.exe
1456	reg.exe
232	reg.exe
3056	reg.exe
1584	reg.exe
2060	reg.exe
4916	reg.exe
4076	reg.exe
3220	reg.exe
1476	reg.exe
4516	reg.exe
3224	reg.exe
4796	reg.exe
2420	reg.exe
4500	reg.exe
2844	reg.exe
4032	reg.exe
3832	reg.exe
2940	reg.exe
4224	reg.exe
1944	reg.exe
2744	reg.exe
3152	reg.exe
4716	reg.exe
3628	reg.exe
3772	reg.exe
4152	reg.exe
4748	reg.exe
5100	reg.exe
32	reg.exe
3828	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exe

pid	process
864	powershell.exe
864	powershell.exe
3232	powershell.exe
3232	powershell.exe
3292	powershell.exe
3292	powershell.exe
2956	powershell.exe
2956	powershell.exe
1708	powershell.exe
1708	powershell.exe
4416	powershell.exe
4416	powershell.exe
4348	powershell.exe
4348	powershell.exe
4740	powershell.exe
4740	powershell.exe
1392	powershell.exe
1392	powershell.exe
4436	cmd.exe
4436	cmd.exe
2776	powershell.exe
2776	powershell.exe
2296	powershell.exe
2296	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
4640	cmd.exe
4640	cmd.exe
4640	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
940	powershell.exe
940	powershell.exe
4052	powershell.exe
4052	powershell.exe
2312	powershell.exe
2312	powershell.exe
1452	cmd.exe
1452	cmd.exe
3612	powershell.exe
3612	powershell.exe
4468	powershell.exe
4468	powershell.exe
1336	powershell.exe
1336	powershell.exe
1508	powershell.exe
1508	powershell.exe
4808	powershell.exe
4808	powershell.exe
232	powershell.exe
232	powershell.exe
3240	powershell.exe
3240	powershell.exe
3484	cmd.exe
3484	cmd.exe
3856	powershell.exe
3856	powershell.exe
3132	powershell.exe
3132	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe
Token: SeShutdownPrivilege	2108	WMIC.exe
Token: SeDebugPrivilege	2108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2108	WMIC.exe
Token: SeRemoteShutdownPrivilege	2108	WMIC.exe
Token: SeUndockPrivilege	2108	WMIC.exe
Token: SeManageVolumePrivilege	2108	WMIC.exe
Token: 33	2108	WMIC.exe
Token: 34	2108	WMIC.exe
Token: 35	2108	WMIC.exe
Token: 36	2108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe
Token: SeShutdownPrivilege	2108	WMIC.exe
Token: SeDebugPrivilege	2108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2108	WMIC.exe
Token: SeRemoteShutdownPrivilege	2108	WMIC.exe
Token: SeUndockPrivilege	2108	WMIC.exe
Token: SeManageVolumePrivilege	2108	WMIC.exe
Token: 33	2108	WMIC.exe
Token: 34	2108	WMIC.exe
Token: 35	2108	WMIC.exe
Token: 36	2108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Zero_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4556 wrote to memory of 3080	4556	Zero_Loader.exe	cmd.exe
PID 4556 wrote to memory of 3080	4556	Zero_Loader.exe	cmd.exe
PID 3080 wrote to memory of 3788	3080	cmd.exe	HOSTNAME.EXE
PID 3080 wrote to memory of 3788	3080	cmd.exe	HOSTNAME.EXE
PID 4556 wrote to memory of 4480	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4480	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 1316	4556	Zero_Loader.exe	cmd.exe
PID 4556 wrote to memory of 1316	4556	Zero_Loader.exe	cmd.exe
PID 1316 wrote to memory of 2108	1316	cmd.exe	WMIC.exe
PID 1316 wrote to memory of 2108	1316	cmd.exe	WMIC.exe
PID 1316 wrote to memory of 1224	1316	cmd.exe	more.com
PID 1316 wrote to memory of 1224	1316	cmd.exe	more.com
PID 4556 wrote to memory of 1596	4556	Zero_Loader.exe	cmd.exe
PID 4556 wrote to memory of 1596	4556	Zero_Loader.exe	cmd.exe
PID 1596 wrote to memory of 712	1596	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 712	1596	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 228	1596	cmd.exe	more.com
PID 1596 wrote to memory of 228	1596	cmd.exe	more.com
PID 4556 wrote to memory of 32	4556	Zero_Loader.exe	cmd.exe
PID 4556 wrote to memory of 32	4556	Zero_Loader.exe	cmd.exe
PID 32 wrote to memory of 1080	32	cmd.exe	WMIC.exe
PID 32 wrote to memory of 1080	32	cmd.exe	WMIC.exe
PID 32 wrote to memory of 2200	32	cmd.exe	more.com
PID 32 wrote to memory of 2200	32	cmd.exe	more.com
PID 4556 wrote to memory of 3220	4556	Zero_Loader.exe	cmd.exe
PID 4556 wrote to memory of 3220	4556	Zero_Loader.exe	cmd.exe
PID 3220 wrote to memory of 1860	3220	cmd.exe	WMIC.exe
PID 3220 wrote to memory of 1860	3220	cmd.exe	WMIC.exe
PID 3220 wrote to memory of 4416	3220	cmd.exe	more.com
PID 3220 wrote to memory of 4416	3220	cmd.exe	more.com
PID 4556 wrote to memory of 4384	4556	Zero_Loader.exe	cmd.exe
PID 4556 wrote to memory of 4384	4556	Zero_Loader.exe	cmd.exe
PID 4384 wrote to memory of 4472	4384	cmd.exe	WMIC.exe
PID 4384 wrote to memory of 4472	4384	cmd.exe	WMIC.exe
PID 4384 wrote to memory of 4004	4384	cmd.exe	more.com
PID 4384 wrote to memory of 4004	4384	cmd.exe	more.com
PID 4556 wrote to memory of 912	4556	Zero_Loader.exe	cmd.exe
PID 4556 wrote to memory of 912	4556	Zero_Loader.exe	cmd.exe
PID 912 wrote to memory of 3368	912	cmd.exe	WMIC.exe
PID 912 wrote to memory of 3368	912	cmd.exe	WMIC.exe
PID 912 wrote to memory of 3212	912	cmd.exe	more.com
PID 912 wrote to memory of 3212	912	cmd.exe	more.com
PID 4556 wrote to memory of 4916	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4916	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4152	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4152	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4516	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4516	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4748	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4748	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4048	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4048	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 3644	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 3644	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4256	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4256	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4500	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4500	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 1944	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 1944	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4076	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 4076	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 2844	4556	Zero_Loader.exe	reg.exe
PID 4556 wrote to memory of 2844	4556	Zero_Loader.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Zero_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Zero_Loader.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "hostname"
2⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\system32\HOSTNAME.EXE
hostname
3⤵
PID:3788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
2⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\more.com
more +1
3⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\more.com
more +1
3⤵
PID:228

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\system32\more.com
more +1
3⤵
PID:2200

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\system32\more.com
more +1
3⤵
PID:4416

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
3⤵
PID:4472

C:\Windows\system32\more.com
more +1
3⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\more.com
more +1
3⤵
PID:3212

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get size
3⤵
- Collects information from the system
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2⤵
- Modifies registry key
PID:4916

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2⤵
- Modifies registry key
PID:4152

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
2⤵
- Modifies registry key
PID:4516

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
2⤵
- Modifies registry key
PID:4748

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
2⤵
PID:4048

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
2⤵
- Modifies registry key
PID:3644

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
2⤵
- Modifies registry key
PID:4256

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
2⤵
- Modifies registry key
PID:4500

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
2⤵
- Modifies registry key
PID:1944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
2⤵
- Modifies registry key
PID:4076

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
2⤵
- Modifies registry key
PID:2844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
2⤵
- Modifies registry key
PID:2744

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
2⤵
- Modifies registry key
PID:3224

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
2⤵
PID:4468

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
2⤵
- Modifies registry key
PID:1512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
2⤵
- Modifies registry key
PID:5100

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
2⤵
PID:3256

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
2⤵
- Modifies registry key
PID:1456

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
2⤵
PID:3240

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
2⤵
- Modifies registry key
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}
2⤵
- Modifies registry key
PID:232

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
2⤵
- Modifies registry key
PID:3832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}
2⤵
- Modifies registry key
PID:780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}
2⤵
- Modifies registry key
PID:3152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:456

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}
2⤵
- Modifies registry key
PID:4716

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
2⤵
- Modifies registry key
PID:3628

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
2⤵
- Modifies registry key
PID:4488

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}
2⤵
- Modifies registry key
PID:2940

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}
2⤵
- Modifies registry key
PID:3056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
2⤵
- Modifies registry key
PID:32

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}
2⤵
- Modifies registry key
PID:1856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}
2⤵
- Modifies registry key
PID:3984

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:4224

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:1584

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:3220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}
2⤵
- Modifies registry key
PID:4796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}
2⤵
- Modifies registry key
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3600

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}
2⤵
- Modifies registry key
PID:3772

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
2⤵
- Modifies registry key
PID:2060

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}
2⤵
- Modifies registry key
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}
2⤵
- Modifies registry key
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Blocklisted process makes network request
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Blocklisted process makes network request
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfnzxqma.oz4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\2392309a42385e2ae29cd4953ce8021de9c9008ec8e6120b5822eb7313a4970f\win-dpapi\build\Release\node-dpapi.node
Filesize
136KB

MD5
79e6fb42b4575bc2c824cd14f3de1603

SHA1
9c6a9bb6237a0103c37dd753c232178050a86992

SHA256
2392309a42385e2ae29cd4953ce8021de9c9008ec8e6120b5822eb7313a4970f

SHA512
cc320134254df38e27db80a8bab8d0e8a53518974161007bf06a3cf0ec28b3f6ae36fec94bec9565975b1f4d25868cac3c04fd9e1b38236db3f8490e2f6a5c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\places.sqlite_tmp
Filesize
5.0MB

MD5
eaf7e4f0bdec022727515d4ade159d11

SHA1
bd2f3c1761e64b3bdd0c66cd1455cf367e45672a

SHA256
97bde867f38cb9a0412d24ea15e20ed7a52c88392341b368e7d6ad2b3f3b1a15

SHA512
21fc62d95bd0f0a520356156f3099fd565709c21388881fe4b51180b97e448c34ac28b358509a2da02a00b0fd9323f0410e5c4d329f805b978d2b003ce03000e

Download Submit
memory/864-315-0x0000028045730000-0x0000028045752000-memory.dmp

Filesize
136KB

Download
memory/864-323-0x0000028044D70000-0x0000028044D80000-memory.dmp

Filesize
64KB

Download
memory/864-326-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/864-322-0x0000028044D70000-0x0000028044D80000-memory.dmp

Filesize
64KB

Download
memory/864-321-0x0000028044D70000-0x0000028044D80000-memory.dmp

Filesize
64KB

Download
memory/864-320-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/940-555-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/1392-442-0x00000198F21F0000-0x00000198F2200000-memory.dmp

Filesize
64KB

Download
memory/1392-443-0x00000198F21F0000-0x00000198F2200000-memory.dmp

Filesize
64KB

Download
memory/1392-444-0x00000198F21F0000-0x00000198F2200000-memory.dmp

Filesize
64KB

Download
memory/1392-441-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/1392-446-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/1708-373-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/1708-385-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/1708-383-0x000001F2245B0000-0x000001F2245C0000-memory.dmp

Filesize
64KB

Download
memory/1708-378-0x000001F2245B0000-0x000001F2245C0000-memory.dmp

Filesize
64KB

Download
memory/2296-484-0x00000254E33E0000-0x00000254E33F0000-memory.dmp

Filesize
64KB

Download
memory/2296-477-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/2296-490-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/2776-476-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/2776-471-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/2776-472-0x00000188F2610000-0x00000188F2620000-memory.dmp

Filesize
64KB

Download
memory/2776-474-0x00000188F2610000-0x00000188F2620000-memory.dmp

Filesize
64KB

Download
memory/2956-370-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/2956-368-0x0000015EDE590000-0x0000015EDE5A0000-memory.dmp

Filesize
64KB

Download
memory/2956-367-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3232-340-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3232-333-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3292-353-0x000001E3763D0000-0x000001E3763E0000-memory.dmp

Filesize
64KB

Download
memory/3292-356-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3292-350-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3292-352-0x000001E3763D0000-0x000001E3763E0000-memory.dmp

Filesize
64KB

Download
memory/3292-354-0x000001E3763D0000-0x000001E3763E0000-memory.dmp

Filesize
64KB

Download
memory/3628-505-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3628-501-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3628-503-0x000002226A360000-0x000002226A370000-memory.dmp

Filesize
64KB

Download
memory/3628-502-0x000002226A360000-0x000002226A370000-memory.dmp

Filesize
64KB

Download
memory/3856-517-0x0000028722C30000-0x0000028722C40000-memory.dmp

Filesize
64KB

Download
memory/3856-521-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/3856-519-0x0000028722C30000-0x0000028722C40000-memory.dmp

Filesize
64KB

Download
memory/3856-518-0x0000028722C30000-0x0000028722C40000-memory.dmp

Filesize
64KB

Download
memory/3856-515-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4348-412-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4348-415-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4348-413-0x0000013171C80000-0x0000013171C90000-memory.dmp

Filesize
64KB

Download
memory/4416-395-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4416-399-0x000001D7A80A0000-0x000001D7A80B0000-memory.dmp

Filesize
64KB

Download
memory/4416-397-0x000001D7A80A0000-0x000001D7A80B0000-memory.dmp

Filesize
64KB

Download
memory/4416-401-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4416-398-0x000001D7A80A0000-0x000001D7A80B0000-memory.dmp

Filesize
64KB

Download
memory/4436-459-0x0000017CBF520000-0x0000017CBF530000-memory.dmp

Filesize
64KB

Download
memory/4436-457-0x0000017CBF520000-0x0000017CBF530000-memory.dmp

Filesize
64KB

Download
memory/4436-456-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-461-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4640-533-0x00000237EF5C0000-0x00000237EF5D0000-memory.dmp

Filesize
64KB

Download
memory/4640-522-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4640-535-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4740-418-0x0000023B986A0000-0x0000023B986B0000-memory.dmp

Filesize
64KB

Download
memory/4740-430-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4740-416-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4740-417-0x0000023B986A0000-0x0000023B986B0000-memory.dmp

Filesize
64KB

Download
memory/4760-545-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download
memory/4760-547-0x000001C6AE310000-0x000001C6AE320000-memory.dmp

Filesize
64KB

Download
memory/4760-549-0x00007FF8FB060000-0x00007FF8FBB21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads