894c046b185fff2c40af6afd117148e54b830383224f387ed2f389c0556fcf92

General

Target

Zero_Loader.exe
Size

51.3MB
MD5

0216e67c988fe280add3a09e262dac03
SHA1

4c0a6dec8c8cd2745c5306c5e660afe39263c5b0
SHA256

a5fd77cf9ba05e9c133f773665a66fc84cd8d50e11949fd9d578836dc2e4222e
SHA512

1eeab94cfd5d3570d840e39366eca900fe16763e5b2a2d499a6defd521cf2c95b4f01fcbd7cd1c9bc70bdf9b7f3480e5372d908530dcd01743a87e1e245626ee
SSDEEP

786432:fMguj8Q4VfvIqFTrYI2mkZlNc2cqmDAZUU2nE2:fiAQIHIkHb2pZU98ZyE2

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

Zero_Loader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Zero_Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Zero_Loader.exe

Loads dropped DLL 2 IoCs

Processes:

Zero_Loader.exe

pid process

1400 Zero_Loader.exe
1400 Zero_Loader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1400	Zero_Loader.exe
1400	Zero_Loader.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

Zero_Loader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\Save-JiXDfiFdsq\FilesGrabber\desktop.ini	Zero_Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Save-JiXDfiFdsq\FilesGrabber\desktop.ini	Zero_Loader.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

2024 WMIC.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2520 WMIC.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

pid	process
2024	WMIC.exe

pid	process
2520	WMIC.exe

Modifies registry key 1 TTPs 37 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1556	reg.exe
868	reg.exe
5092	reg.exe
2364	reg.exe
1136	reg.exe
1080	reg.exe
5052	reg.exe
4248	reg.exe
4308	reg.exe
1108	reg.exe
3544	reg.exe
4716	reg.exe
4808	reg.exe
2272	reg.exe
2588	reg.exe
2196	reg.exe
4740	reg.exe
3708	reg.exe
2772	reg.exe
2584	reg.exe
2008	reg.exe
1848	reg.exe
2620	reg.exe
2020	reg.exe
3548	reg.exe
1900	reg.exe
1144	reg.exe
2692	reg.exe
2672	reg.exe
1864	reg.exe
4264	reg.exe
328	reg.exe
1508	reg.exe
3656	reg.exe
1840	reg.exe
4712	reg.exe
2092	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.execmd.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.execmd.execmd.exepowershell.execmd.execmd.execmd.exepowershell.exepowershell.execmd.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1208	powershell.exe
1208	powershell.exe
4788	cmd.exe
4788	cmd.exe
4200	powershell.exe
4200	powershell.exe
4324	cmd.exe
4324	cmd.exe
4988	powershell.exe
4988	powershell.exe
1728	powershell.exe
1728	powershell.exe
5012	powershell.exe
5012	powershell.exe
780	powershell.exe
780	powershell.exe
872	powershell.exe
872	powershell.exe
3208	cmd.exe
3208	cmd.exe
4632	powershell.exe
4632	powershell.exe
2728	powershell.exe
2728	powershell.exe
1848	powershell.exe
1848	powershell.exe
1080	cmd.exe
1080	cmd.exe
3740	cmd.exe
3740	cmd.exe
3384	powershell.exe
3384	powershell.exe
2356	cmd.exe
2356	cmd.exe
3128	cmd.exe
3128	cmd.exe
1260	cmd.exe
1260	cmd.exe
2764	powershell.exe
2764	powershell.exe
3012	powershell.exe
3012	powershell.exe
3320	cmd.exe
3320	cmd.exe
4452	powershell.exe
4452	powershell.exe
4460	cmd.exe
4460	cmd.exe
3888	cmd.exe
3888	cmd.exe
4692	powershell.exe
4692	powershell.exe
1860	powershell.exe
1860	powershell.exe
2292	cmd.exe
2292	cmd.exe
1108	powershell.exe
1108	powershell.exe
4964	powershell.exe
4964	powershell.exe
4204	powershell.exe
4204	powershell.exe
1732	powershell.exe
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exereg.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe
Token: SeSecurityPrivilege	1864	WMIC.exe
Token: SeTakeOwnershipPrivilege	1864	WMIC.exe
Token: SeLoadDriverPrivilege	1864	WMIC.exe
Token: SeSystemProfilePrivilege	1864	WMIC.exe
Token: SeSystemtimePrivilege	1864	WMIC.exe
Token: SeProfSingleProcessPrivilege	1864	WMIC.exe
Token: SeIncBasePriorityPrivilege	1864	WMIC.exe
Token: SeCreatePagefilePrivilege	1864	WMIC.exe
Token: SeBackupPrivilege	1864	WMIC.exe
Token: SeRestorePrivilege	1864	WMIC.exe
Token: SeShutdownPrivilege	1864	WMIC.exe
Token: SeDebugPrivilege	1864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1864	WMIC.exe
Token: SeRemoteShutdownPrivilege	1864	WMIC.exe
Token: SeUndockPrivilege	1864	WMIC.exe
Token: SeManageVolumePrivilege	1864	WMIC.exe
Token: 33	1864	WMIC.exe
Token: 34	1864	WMIC.exe
Token: 35	1864	WMIC.exe
Token: 36	1864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1864	reg.exe
Token: SeSecurityPrivilege	1864	reg.exe
Token: SeTakeOwnershipPrivilege	1864	reg.exe
Token: SeLoadDriverPrivilege	1864	reg.exe
Token: SeSystemProfilePrivilege	1864	reg.exe
Token: SeSystemtimePrivilege	1864	reg.exe
Token: SeProfSingleProcessPrivilege	1864	reg.exe
Token: SeIncBasePriorityPrivilege	1864	reg.exe
Token: SeCreatePagefilePrivilege	1864	reg.exe
Token: SeBackupPrivilege	1864	reg.exe
Token: SeRestorePrivilege	1864	reg.exe
Token: SeShutdownPrivilege	1864	reg.exe
Token: SeDebugPrivilege	1864	reg.exe
Token: SeSystemEnvironmentPrivilege	1864	reg.exe
Token: SeRemoteShutdownPrivilege	1864	reg.exe
Token: SeUndockPrivilege	1864	reg.exe
Token: SeManageVolumePrivilege	1864	reg.exe
Token: 33	1864	reg.exe
Token: 34	1864	reg.exe
Token: 35	1864	reg.exe
Token: 36	1864	reg.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe
Token: SeSecurityPrivilege	2416	WMIC.exe
Token: SeTakeOwnershipPrivilege	2416	WMIC.exe
Token: SeLoadDriverPrivilege	2416	WMIC.exe
Token: SeSystemProfilePrivilege	2416	WMIC.exe
Token: SeSystemtimePrivilege	2416	WMIC.exe
Token: SeProfSingleProcessPrivilege	2416	WMIC.exe
Token: SeIncBasePriorityPrivilege	2416	WMIC.exe
Token: SeCreatePagefilePrivilege	2416	WMIC.exe
Token: SeBackupPrivilege	2416	WMIC.exe
Token: SeRestorePrivilege	2416	WMIC.exe
Token: SeShutdownPrivilege	2416	WMIC.exe
Token: SeDebugPrivilege	2416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2416	WMIC.exe
Token: SeRemoteShutdownPrivilege	2416	WMIC.exe
Token: SeUndockPrivilege	2416	WMIC.exe
Token: SeManageVolumePrivilege	2416	WMIC.exe
Token: 33	2416	WMIC.exe
Token: 34	2416	WMIC.exe
Token: 35	2416	WMIC.exe
Token: 36	2416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Zero_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 3764	1400	Zero_Loader.exe	cmd.exe
PID 1400 wrote to memory of 3764	1400	Zero_Loader.exe	cmd.exe
PID 3764 wrote to memory of 1444	3764	cmd.exe	HOSTNAME.EXE
PID 3764 wrote to memory of 1444	3764	cmd.exe	HOSTNAME.EXE
PID 1400 wrote to memory of 4268	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 4268	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 780	1400	Zero_Loader.exe	cmd.exe
PID 1400 wrote to memory of 780	1400	Zero_Loader.exe	cmd.exe
PID 780 wrote to memory of 1864	780	cmd.exe	WMIC.exe
PID 780 wrote to memory of 1864	780	cmd.exe	WMIC.exe
PID 780 wrote to memory of 2108	780	cmd.exe	more.com
PID 780 wrote to memory of 2108	780	cmd.exe	more.com
PID 1400 wrote to memory of 1720	1400	Zero_Loader.exe	cmd.exe
PID 1400 wrote to memory of 1720	1400	Zero_Loader.exe	cmd.exe
PID 1720 wrote to memory of 2416	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 2416	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 3000	1720	cmd.exe	more.com
PID 1720 wrote to memory of 3000	1720	cmd.exe	more.com
PID 1400 wrote to memory of 2424	1400	Zero_Loader.exe	cmd.exe
PID 1400 wrote to memory of 2424	1400	Zero_Loader.exe	cmd.exe
PID 2424 wrote to memory of 2296	2424	cmd.exe	WMIC.exe
PID 2424 wrote to memory of 2296	2424	cmd.exe	WMIC.exe
PID 2424 wrote to memory of 2348	2424	cmd.exe	more.com
PID 2424 wrote to memory of 2348	2424	cmd.exe	more.com
PID 1400 wrote to memory of 3108	1400	Zero_Loader.exe	cmd.exe
PID 1400 wrote to memory of 3108	1400	Zero_Loader.exe	cmd.exe
PID 3108 wrote to memory of 2520	3108	cmd.exe	WMIC.exe
PID 3108 wrote to memory of 2520	3108	cmd.exe	WMIC.exe
PID 3108 wrote to memory of 640	3108	cmd.exe	more.com
PID 3108 wrote to memory of 640	3108	cmd.exe	more.com
PID 1400 wrote to memory of 1128	1400	Zero_Loader.exe	cmd.exe
PID 1400 wrote to memory of 1128	1400	Zero_Loader.exe	cmd.exe
PID 1128 wrote to memory of 2484	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 2484	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 3404	1128	cmd.exe	more.com
PID 1128 wrote to memory of 3404	1128	cmd.exe	more.com
PID 1400 wrote to memory of 4452	1400	Zero_Loader.exe	cmd.exe
PID 1400 wrote to memory of 4452	1400	Zero_Loader.exe	cmd.exe
PID 4452 wrote to memory of 2024	4452	cmd.exe	WMIC.exe
PID 4452 wrote to memory of 2024	4452	cmd.exe	WMIC.exe
PID 4452 wrote to memory of 3192	4452	cmd.exe	more.com
PID 4452 wrote to memory of 3192	4452	cmd.exe	more.com
PID 1400 wrote to memory of 1848	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1848	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1900	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1900	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 2620	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 2620	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 4808	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 4808	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 4800	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 4800	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 4740	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 4740	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1080	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1080	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 3656	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 3656	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 3708	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 3708	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1556	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1556	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1144	1400	Zero_Loader.exe	reg.exe
PID 1400 wrote to memory of 1144	1400	Zero_Loader.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Zero_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Zero_Loader.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "hostname"
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\HOSTNAME.EXE
hostname
3⤵
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
2⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\more.com
more +1
3⤵
PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\more.com
more +1
3⤵
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:2296

C:\Windows\system32\more.com
more +1
3⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\more.com
more +1
3⤵
PID:3404

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
3⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\system32\more.com
more +1
3⤵
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:3824

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get size
3⤵
- Collects information from the system
PID:2024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2⤵
- Modifies registry key
PID:1848

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2⤵
- Modifies registry key
PID:1900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
2⤵
- Modifies registry key
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:564

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
2⤵
- Modifies registry key
PID:4808

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
2⤵
PID:4800

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
2⤵
- Modifies registry key
PID:4740

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
2⤵
- Modifies registry key
PID:1080

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
2⤵
- Modifies registry key
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
2⤵
- Modifies registry key
PID:3708

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
2⤵
- Modifies registry key
PID:1556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
2⤵
- Modifies registry key
PID:1144

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
2⤵
- Modifies registry key
PID:868

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
2⤵
- Modifies registry key
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4500

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
2⤵
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:4932

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
2⤵
- Modifies registry key
PID:2672

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
2⤵
- Modifies registry key
PID:2092

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
2⤵
PID:1632

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
2⤵
PID:5048

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
2⤵
- Modifies registry key
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
2⤵
- Modifies registry key
PID:2772

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}
2⤵
- Modifies registry key
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4524

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
2⤵
- Modifies registry key
PID:5052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}
2⤵
- Modifies registry key
PID:1840

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}
2⤵
- Modifies registry key
PID:5092

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}
2⤵
- Modifies registry key
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
2⤵
- Modifies registry key
PID:2020

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
2⤵
- Modifies registry key
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}
2⤵
- Modifies registry key
PID:4264

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}
2⤵
- Modifies registry key
PID:3548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2516

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}
2⤵
- Modifies registry key
PID:328

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
2⤵
- Modifies registry key
PID:2272

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}
2⤵
- Modifies registry key
PID:4248

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:1508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:4308

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:2588

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}
2⤵
- Modifies registry key
PID:2008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}
2⤵
- Modifies registry key
PID:4712

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}
2⤵
- Modifies registry key
PID:1108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
2⤵
- Modifies registry key
PID:1136

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}
2⤵
- Modifies registry key
PID:3544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}
2⤵
- Modifies registry key
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:4172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:3228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:3824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4500

C:\Windows\system32\more.com
more +1
1⤵
PID:640

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
1⤵
- Detects videocard installed
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
2⤵
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdsznahq.2v4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\2392309a42385e2ae29cd4953ce8021de9c9008ec8e6120b5822eb7313a4970f\win-dpapi\build\Release\node-dpapi.node
Filesize
136KB

MD5
79e6fb42b4575bc2c824cd14f3de1603

SHA1
9c6a9bb6237a0103c37dd753c232178050a86992

SHA256
2392309a42385e2ae29cd4953ce8021de9c9008ec8e6120b5822eb7313a4970f

SHA512
cc320134254df38e27db80a8bab8d0e8a53518974161007bf06a3cf0ec28b3f6ae36fec94bec9565975b1f4d25868cac3c04fd9e1b38236db3f8490e2f6a5c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9flscadp.default-release\places.sqlite_tmp
Filesize
5.0MB

MD5
c047ee6bef9bf5739b407f277a43b815

SHA1
92e79b14e413ce23b721bc37479c8a5a3dc20e54

SHA256
0fa15babc6307f096d000abc2f3fa8885bbe415a845fb31aa48366684948d5ba

SHA512
b568287b1e0a1d1706733298474b95612ef45efc118f4481ab1bf72a1a72cf781cca38b8d8fe2d2ec4dbf535297e11c384840f1714671a67621a6b26ff4da46c

Download Submit
memory/780-487-0x000001FD9DFC0000-0x000001FD9DFD0000-memory.dmp

Filesize
64KB

Download
memory/780-488-0x000001FD9DFC0000-0x000001FD9DFD0000-memory.dmp

Filesize
64KB

Download
memory/780-490-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/780-486-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/872-501-0x000001CF94A50000-0x000001CF94A60000-memory.dmp

Filesize
64KB

Download
memory/872-502-0x000001CF94A50000-0x000001CF94A60000-memory.dmp

Filesize
64KB

Download
memory/872-500-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/872-503-0x000001CF94A50000-0x000001CF94A60000-memory.dmp

Filesize
64KB

Download
memory/872-505-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1080-575-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1080-572-0x000001E9B3AD0000-0x000001E9B3AE0000-memory.dmp

Filesize
64KB

Download
memory/1080-570-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1080-573-0x000001E9B3AD0000-0x000001E9B3AE0000-memory.dmp

Filesize
64KB

Download
memory/1208-382-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1208-383-0x000001ECF93E0000-0x000001ECF93F0000-memory.dmp

Filesize
64KB

Download
memory/1208-378-0x000001ECF93A0000-0x000001ECF93C2000-memory.dmp

Filesize
136KB

Download
memory/1208-384-0x000001ECF93E0000-0x000001ECF93F0000-memory.dmp

Filesize
64KB

Download
memory/1208-387-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1728-458-0x0000024F2EF50000-0x0000024F2EF60000-memory.dmp

Filesize
64KB

Download
memory/1728-457-0x0000024F2EF50000-0x0000024F2EF60000-memory.dmp

Filesize
64KB

Download
memory/1728-456-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1728-459-0x0000024F2EF50000-0x0000024F2EF60000-memory.dmp

Filesize
64KB

Download
memory/1728-461-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1848-559-0x0000026BD9570000-0x0000026BD9580000-memory.dmp

Filesize
64KB

Download
memory/1848-557-0x0000026BD9570000-0x0000026BD9580000-memory.dmp

Filesize
64KB

Download
memory/1848-556-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/1848-561-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/2728-545-0x0000020F7FAB0000-0x0000020F7FAC0000-memory.dmp

Filesize
64KB

Download
memory/2728-543-0x0000020F7FAB0000-0x0000020F7FAC0000-memory.dmp

Filesize
64KB

Download
memory/2728-542-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/2728-547-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/3208-516-0x00000238D4620000-0x00000238D4630000-memory.dmp

Filesize
64KB

Download
memory/3208-515-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/3208-519-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/3208-517-0x00000238D4620000-0x00000238D4630000-memory.dmp

Filesize
64KB

Download
memory/3740-586-0x0000020375300000-0x0000020375310000-memory.dmp

Filesize
64KB

Download
memory/3740-585-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4200-415-0x000002CF0E430000-0x000002CF0E440000-memory.dmp

Filesize
64KB

Download
memory/4200-417-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4200-414-0x000002CF0E430000-0x000002CF0E440000-memory.dmp

Filesize
64KB

Download
memory/4200-413-0x000002CF0E430000-0x000002CF0E440000-memory.dmp

Filesize
64KB

Download
memory/4200-412-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4324-427-0x000002882F5B0000-0x000002882F5C0000-memory.dmp

Filesize
64KB

Download
memory/4324-426-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4324-428-0x000002882F5B0000-0x000002882F5C0000-memory.dmp

Filesize
64KB

Download
memory/4324-431-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4632-529-0x0000025C81610000-0x0000025C81620000-memory.dmp

Filesize
64KB

Download
memory/4632-533-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4632-528-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4632-531-0x0000025C81610000-0x0000025C81620000-memory.dmp

Filesize
64KB

Download
memory/4788-402-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4788-397-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4788-398-0x00000266A1140000-0x00000266A1150000-memory.dmp

Filesize
64KB

Download
memory/4788-400-0x00000266A1140000-0x00000266A1150000-memory.dmp

Filesize
64KB

Download
memory/4988-440-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4988-446-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/4988-441-0x000001A26AE60000-0x000001A26AE70000-memory.dmp

Filesize
64KB

Download
memory/4988-444-0x000001A26AE60000-0x000001A26AE70000-memory.dmp

Filesize
64KB

Download
memory/4988-443-0x000001A26AE60000-0x000001A26AE70000-memory.dmp

Filesize
64KB

Download
memory/5012-470-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/5012-474-0x000001C025CA0000-0x000001C025CB0000-memory.dmp

Filesize
64KB

Download
memory/5012-473-0x000001C025CA0000-0x000001C025CB0000-memory.dmp

Filesize
64KB

Download
memory/5012-476-0x00007FFD50DC0000-0x00007FFD51882000-memory.dmp

Filesize
10.8MB

Download
memory/5012-471-0x000001C025CA0000-0x000001C025CB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads