Analysis
-
max time kernel
204s -
max time network
269s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-04-2024 18:26
Static task
static1
Behavioral task
behavioral1
Sample
SilverClient.exe
Resource
win10-20240404-en
General
-
Target
SilverClient.exe
-
Size
41KB
-
MD5
3831534da5a571175be3c431aba83fdb
-
SHA1
888aa879e4515bb93369699fc9bb60b204e25efb
-
SHA256
b4fcdc9f24f89baa3710678df4598d6818c2d6c58c0183f2bb61a33e0dade3b4
-
SHA512
03232832cdbe928f14802f354a834123f4698b15ca758c0534384f2b46fab371a30725a23e6ce59d6af2fc18c8e53ff9d724ac580689c9ef04ec31027fbb23ce
-
SSDEEP
768:W7S6QjoK6PerzhdYDm4MVRsHZ9PPe0MB6S3nMvrellE:W7S6Qvwm4MVaZ9vMoEnMSllE
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/816-69-0x00000000010F0000-0x000000000111A000-memory.dmp family_stormkitty -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4824 attrib.exe 1604 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
$77svchost.exepid process 816 $77svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SilverClient.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\$77svchost.exe\"" SilverClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3492 schtasks.exe 4560 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1932 timeout.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
SilverClient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 3692 SilverClient.exe 4912 powershell.exe 4912 powershell.exe 4912 powershell.exe 3316 powershell.exe 3316 powershell.exe 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 3316 powershell.exe 2808 powershell.exe 3316 powershell.exe 2628 powershell.exe 2628 powershell.exe 2628 powershell.exe 4404 powershell.exe 4404 powershell.exe 2628 powershell.exe 4404 powershell.exe 4556 powershell.exe 4556 powershell.exe 4324 powershell.exe 4324 powershell.exe 2076 powershell.exe 2076 powershell.exe 3016 powershell.exe 3016 powershell.exe 3016 powershell.exe 4404 powershell.exe 4404 powershell.exe 4556 powershell.exe 4324 powershell.exe 2076 powershell.exe 4376 powershell.exe 4376 powershell.exe 4376 powershell.exe 3016 powershell.exe 4556 powershell.exe 4556 powershell.exe 1932 powershell.exe 1932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
vssvc.exeSilverClient.exe$77svchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeBackupPrivilege 2192 vssvc.exe Token: SeRestorePrivilege 2192 vssvc.exe Token: SeAuditPrivilege 2192 vssvc.exe Token: SeDebugPrivilege 3692 SilverClient.exe Token: SeDebugPrivilege 816 $77svchost.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeIncreaseQuotaPrivilege 4912 powershell.exe Token: SeSecurityPrivilege 4912 powershell.exe Token: SeTakeOwnershipPrivilege 4912 powershell.exe Token: SeLoadDriverPrivilege 4912 powershell.exe Token: SeSystemProfilePrivilege 4912 powershell.exe Token: SeSystemtimePrivilege 4912 powershell.exe Token: SeProfSingleProcessPrivilege 4912 powershell.exe Token: SeIncBasePriorityPrivilege 4912 powershell.exe Token: SeCreatePagefilePrivilege 4912 powershell.exe Token: SeBackupPrivilege 4912 powershell.exe Token: SeRestorePrivilege 4912 powershell.exe Token: SeShutdownPrivilege 4912 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeSystemEnvironmentPrivilege 4912 powershell.exe Token: SeRemoteShutdownPrivilege 4912 powershell.exe Token: SeUndockPrivilege 4912 powershell.exe Token: SeManageVolumePrivilege 4912 powershell.exe Token: 33 4912 powershell.exe Token: 34 4912 powershell.exe Token: 35 4912 powershell.exe Token: 36 4912 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SilverClient.execmd.exe$77svchost.exedescription pid process target process PID 3692 wrote to memory of 4824 3692 SilverClient.exe attrib.exe PID 3692 wrote to memory of 4824 3692 SilverClient.exe attrib.exe PID 3692 wrote to memory of 1604 3692 SilverClient.exe attrib.exe PID 3692 wrote to memory of 1604 3692 SilverClient.exe attrib.exe PID 3692 wrote to memory of 1820 3692 SilverClient.exe cmd.exe PID 3692 wrote to memory of 1820 3692 SilverClient.exe cmd.exe PID 1820 wrote to memory of 1932 1820 cmd.exe timeout.exe PID 1820 wrote to memory of 1932 1820 cmd.exe timeout.exe PID 1820 wrote to memory of 816 1820 cmd.exe $77svchost.exe PID 1820 wrote to memory of 816 1820 cmd.exe $77svchost.exe PID 816 wrote to memory of 5056 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 5056 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 3492 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 3492 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 1980 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 1980 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 4912 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4912 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4560 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 4560 816 $77svchost.exe schtasks.exe PID 816 wrote to memory of 3556 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 3556 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 3316 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 3316 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 2316 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 2316 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 2808 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 2808 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 1048 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 1048 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 2628 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 2628 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 3588 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 3588 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 4404 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4404 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 1020 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 1020 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 4556 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4556 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 2756 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 2756 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 4324 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4324 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 1420 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 1420 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 2076 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 2076 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 1384 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 1384 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 3016 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 3016 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4760 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 4760 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 4376 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4376 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4700 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 4700 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 1932 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 1932 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 4544 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 4544 816 $77svchost.exe cmd.exe PID 816 wrote to memory of 3420 816 $77svchost.exe powershell.exe PID 816 wrote to memory of 3420 816 $77svchost.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4824 attrib.exe 1604 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\System32"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe"C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77svchost.exe" /TR "C:\Users\Admin\AppData\Roaming\System32\$77svchost.exe \"\$77svchost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svchost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:004⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
50KB
MD52143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD532ee8c40eccb9a273061a41e1b8baa02
SHA119273d9a575c253a97392da6fe7de532be804d47
SHA256a986cceb0b4901a0847cf2ddb1ab5a10dbaf9bf15e45ef1a8383baf26a66eae2
SHA512982cfeb8592f58e124900ef229b52a25992039e5fd77b2d9d7148774a37f9004af5417b88acdd5421792dfe48f19092d30d22efcb0e57777d232f92d07582205
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD58e34d3aa29462c9c0d1294ab27fd2fee
SHA1d252adff7cfbc6cb2d7a122bc7ba3ae363732dd3
SHA25642309aa3b2a7ed44774110b372648919722f2ae644a034d3f8a7196d4551eedf
SHA512dbeb4f965f6bd7de6f07d0247a32c2fd075aa8d9cc591b6986252b286b5a72429f76aa387926fc9c72452a5c9b96712f19666d6f42a536459a00af795e5c870c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD55ab19a2dcfdd0953edae5f310b65eed3
SHA14b4553df4f980bb391cb013260063efdde0f3e1c
SHA25645d6325d025bf809528e36d731104177941a829a7ba7a9c5fe536e9a44245676
SHA512a9b1b1adbd7562023ca7ed45720ace76c5e197e4e8bf37d73470f7a3facc39a7c221fbc3db961404aa2768b76b7beceda4e15a60d5d0982e5c5d581992a2a7bd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD56378ab47c61694873f91ec0c1e333367
SHA1418df0da644205e68dae36f6533f4cd946a99796
SHA2569c0c4ce229a3b05b2f4dbac3d0db149a925156ad8ae331c0205592fb21c43c1a
SHA512ba363de62b76dcfcd717de9f8ab2a21e4223b3412866adf8bf7f368bbc138ab0d870bb244da90adbad9df88bd7824a79525e092e76ce052dc292c89813eebefe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5f1ed6145925f9a575fd9359e49f7ae85
SHA1561afddb8f0842ace03305368126178544652086
SHA2563e3e7b190fda4e5406e8cd3d76b901a24a8a741130a908d72245248c78a11a0e
SHA5129bdd47a0dbbe8080bab1fcb7b0588bff62821ce925b113df4e143949dd8271d15e6d7ae66c49caeadd72aaa853a956e5da8fbe8175ee9c87aa4176513aefac4e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD566db5777b8d06443dbbb39efeb445972
SHA1feec6c100941da6aa8758a8a5b9a21394a8fb96a
SHA2564a8d79da1b6419fdaba83d2dd1d6c66643a07d41403e889e902de0f419c23efa
SHA51276f026b66d52cececddf60acfe0185964a97c54384dadf7edde1d1ad808e39f8644a15f173b77fc328bee1154d442bb217ab6193e8010a1491c729ed0585158f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5dfc6d987fabf3b6038617ee751fbfda6
SHA1e59f8d9d0e714a882617ec48374ed6ea419d9f51
SHA2566b9215c65e5137119dbd254904c6db6901207fd402f4a7755f4087f7d70154d8
SHA51292e3b0ec2acf0f52bb5a06b6b3b95cd45c44230ba4e04594fc54368190e8637b4e4d6c6c07c0beb1bd97633cdf0eefacefaec2169d3b9e399210bbf4cbeaf88a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5aa30954d55a80f1136a8b322a2e85d1d
SHA19d5c3f51d0962f9bb690863c603cc5e5564ee734
SHA25685c39b26ca1896bfc38d26ae686473764a6f6b9e9132eac1524dd32332aa1a0d
SHA5123993d39fae614dbdc685cb8756dbcdf6f71390eb5e48d08d54bf66f2fa327a808ac8f7a7c0156f1fcda07afb0f67a793beab06e6af56857a2a13606c53e18105
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD57011e80fc176123e61d53cf478edece5
SHA157c1a6fe3bcd80a97098a07f52e2073c20180bfe
SHA2568bcdc2923e495555f03c1d06c1d9a46678ca777ce8e2730e27ffb520993405b1
SHA512a54b747a630993f5f04962b8dd7995e86f32db3f8e62405e60877ed68f8cdc4f4a7d695447a9732c4930c05f3d7b2ea789e1cb1c8748905b86cf31dd1ffb2dcf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD526aa6d1a5aeb68252f2235eeba41fc74
SHA148596c27b7cfd79e6d50f6bb9f23a4a227114e40
SHA2560d70b0c42f84039105ccb742a5db14be0843dfe507de5b06c08772cd2072da06
SHA5122cffb6f49d8ceb6c5a1b4889158ac0e6cd937e9b1694b6b1a7fabd2ad9b967cee0d0522ecdec8193238d28f45849d37a43244dc1301a637fa0dae4f69a61efc9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD57cd1306be630e801f2e6561ff7465b09
SHA128dd91e64d76c4c29ac609f0946016a208fd6332
SHA256348791668c74176bed43bd6dc4ba004e760d2e6b565ed76d626d6897a8db4f60
SHA512ea8bb312d8cbbc4e0763083361cb61f1aa87906f792aeba0383127c059c91fd3bea388febf005568b22b4256aaf105f6e4fb4a960001c7d14a7f6f3fea766273
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_havsmoq3.jtw.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\tmpB9EA.tmp.batFilesize
163B
MD5467ecabd1ae6827b9144d01031aad16f
SHA10d0188543eb83fb24650bcb85824768bce5a3fa3
SHA256e0567db1bdbcb896a460fc4fcae09f3392d3232257358291b949307c7a3c00bb
SHA5121ba187fa07c6d0dbdc9ca6c0407231c1475767ad79a562d7dca9513bd26db697e8b1e64756ff26731c48f24e24aa4a2d7b905b68a2ee56245d2fb37c1c71ddb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5494590d6f7053c0f6f2f7e1c52f9d9f1
SHA19596ba711b04ae003a35bdd94efd6bcf1468ad4c
SHA2561da61039b99fe5c678270243a4a3acc7738526e7ba66ff709d87f5509aa91a96
SHA5127669a50060e291b1e33abc9fa01418efee867f1096c6ccae76f0cb96e3d92654694c882d5492f47474c113e5dbebe12889dbd9a89ac9e86ea4bbf8f0ce5dab74
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5ba9851ab6008b3d1c28561817c8f7e0f
SHA1bf3c75b299ce82f0d3da86c09aec5418c2338f81
SHA256347b3fcf3b877e39546e921719020a0721738d86e8dbbd4652ab2b7d484df5c8
SHA512db318764888c1b1e27044effceab3237b518986b1cccc8abb4feacccb9e18d107fb5f02f476929e1e037021a4f02cd05720251718765faca6aa0db322fbbc1a2
-
C:\Users\Admin\AppData\Roaming\System32\$77svchost.exeFilesize
41KB
MD53831534da5a571175be3c431aba83fdb
SHA1888aa879e4515bb93369699fc9bb60b204e25efb
SHA256b4fcdc9f24f89baa3710678df4598d6818c2d6c58c0183f2bb61a33e0dade3b4
SHA51203232832cdbe928f14802f354a834123f4698b15ca758c0534384f2b46fab371a30725a23e6ce59d6af2fc18c8e53ff9d724ac580689c9ef04ec31027fbb23ce
-
memory/816-70-0x0000000000010000-0x0000000000030000-memory.dmpFilesize
128KB
-
memory/816-69-0x00000000010F0000-0x000000000111A000-memory.dmpFilesize
168KB
-
memory/816-68-0x000000001DB00000-0x000000001DB10000-memory.dmpFilesize
64KB
-
memory/2808-127-0x000002319AB00000-0x000002319AB3C000-memory.dmpFilesize
240KB
-
memory/3692-0-0x0000000000DB0000-0x0000000000DBE000-memory.dmpFilesize
56KB
-
memory/3692-9-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB
-
memory/3692-3-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB
-
memory/3692-2-0x000000001C910000-0x000000001C920000-memory.dmpFilesize
64KB
-
memory/3692-1-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmpFilesize
9.9MB
-
memory/4912-20-0x00000254F41D0000-0x00000254F4246000-memory.dmpFilesize
472KB
-
memory/4912-17-0x00000254F39C0000-0x00000254F39E2000-memory.dmpFilesize
136KB