Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
arceus-x.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
arceus-x.exe
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
arthe.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
arthe.exe
Resource
win11-20240611-en
General
-
Target
arthe.exe
-
Size
164.7MB
-
MD5
a91754a220567176afbd95d7f6115ca5
-
SHA1
dcf7fb81a8ca7f9a49872da181684fc030475c39
-
SHA256
663c217b28522ff706fd3c88f440153e3380387790468a778253170335fd962f
-
SHA512
fc2ee5c820cc1a92609388ad6b0ef03256142a6b3c961db3659fbafdba7360df8236a90ae670ed7d9f0412a395b46e47c6ac863fbb7c287cba942a032fc8d172
-
SSDEEP
1572864:1xGeD65iMor30uXkaYCELW0ejTV1FQ3mRVvHTxnHqVstmZC/wu32Q/djfP85WhkF:AeJEhTWTjiWhS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation arthe.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arthe.exe arthe.exe -
Loads dropped DLL 3 IoCs
pid Process 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetuprAfumE = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\arthe.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 65 raw.githubusercontent.com 66 raw.githubusercontent.com 67 raw.githubusercontent.com 47 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 ipinfo.io 39 ipinfo.io -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 4972 cmd.exe 4864 powershell.exe -
pid Process 1576 powershell.exe 1880 powershell.exe 4936 powershell.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString arthe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString arthe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 arthe.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4220 WMIC.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1308 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 1548 powershell.exe 1548 powershell.exe 1548 powershell.exe 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe 3540 arthe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3748 WMIC.exe Token: SeSecurityPrivilege 3748 WMIC.exe Token: SeTakeOwnershipPrivilege 3748 WMIC.exe Token: SeLoadDriverPrivilege 3748 WMIC.exe Token: SeSystemProfilePrivilege 3748 WMIC.exe Token: SeSystemtimePrivilege 3748 WMIC.exe Token: SeProfSingleProcessPrivilege 3748 WMIC.exe Token: SeIncBasePriorityPrivilege 3748 WMIC.exe Token: SeCreatePagefilePrivilege 3748 WMIC.exe Token: SeBackupPrivilege 3748 WMIC.exe Token: SeRestorePrivilege 3748 WMIC.exe Token: SeShutdownPrivilege 3748 WMIC.exe Token: SeDebugPrivilege 3748 WMIC.exe Token: SeSystemEnvironmentPrivilege 3748 WMIC.exe Token: SeRemoteShutdownPrivilege 3748 WMIC.exe Token: SeUndockPrivilege 3748 WMIC.exe Token: SeManageVolumePrivilege 3748 WMIC.exe Token: 33 3748 WMIC.exe Token: 34 3748 WMIC.exe Token: 35 3748 WMIC.exe Token: 36 3748 WMIC.exe Token: SeIncreaseQuotaPrivilege 3748 WMIC.exe Token: SeSecurityPrivilege 3748 WMIC.exe Token: SeTakeOwnershipPrivilege 3748 WMIC.exe Token: SeLoadDriverPrivilege 3748 WMIC.exe Token: SeSystemProfilePrivilege 3748 WMIC.exe Token: SeSystemtimePrivilege 3748 WMIC.exe Token: SeProfSingleProcessPrivilege 3748 WMIC.exe Token: SeIncBasePriorityPrivilege 3748 WMIC.exe Token: SeCreatePagefilePrivilege 3748 WMIC.exe Token: SeBackupPrivilege 3748 WMIC.exe Token: SeRestorePrivilege 3748 WMIC.exe Token: SeShutdownPrivilege 3748 WMIC.exe Token: SeDebugPrivilege 3748 WMIC.exe Token: SeSystemEnvironmentPrivilege 3748 WMIC.exe Token: SeRemoteShutdownPrivilege 3748 WMIC.exe Token: SeUndockPrivilege 3748 WMIC.exe Token: SeManageVolumePrivilege 3748 WMIC.exe Token: 33 3748 WMIC.exe Token: 34 3748 WMIC.exe Token: 35 3748 WMIC.exe Token: 36 3748 WMIC.exe Token: SeIncreaseQuotaPrivilege 1508 WMIC.exe Token: SeSecurityPrivilege 1508 WMIC.exe Token: SeTakeOwnershipPrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 1508 WMIC.exe Token: SeSystemProfilePrivilege 1508 WMIC.exe Token: SeSystemtimePrivilege 1508 WMIC.exe Token: SeProfSingleProcessPrivilege 1508 WMIC.exe Token: SeIncBasePriorityPrivilege 1508 WMIC.exe Token: SeCreatePagefilePrivilege 1508 WMIC.exe Token: SeBackupPrivilege 1508 WMIC.exe Token: SeRestorePrivilege 1508 WMIC.exe Token: SeShutdownPrivilege 1508 WMIC.exe Token: SeDebugPrivilege 1508 WMIC.exe Token: SeSystemEnvironmentPrivilege 1508 WMIC.exe Token: SeRemoteShutdownPrivilege 1508 WMIC.exe Token: SeUndockPrivilege 1508 WMIC.exe Token: SeManageVolumePrivilege 1508 WMIC.exe Token: 33 1508 WMIC.exe Token: 34 1508 WMIC.exe Token: 35 1508 WMIC.exe Token: 36 1508 WMIC.exe Token: SeIncreaseQuotaPrivilege 348 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3540 wrote to memory of 4324 3540 arthe.exe 88 PID 3540 wrote to memory of 4324 3540 arthe.exe 88 PID 4324 wrote to memory of 3748 4324 cmd.exe 90 PID 4324 wrote to memory of 3748 4324 cmd.exe 90 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 4960 3540 arthe.exe 91 PID 3540 wrote to memory of 1496 3540 arthe.exe 92 PID 3540 wrote to memory of 1496 3540 arthe.exe 92 PID 3540 wrote to memory of 748 3540 arthe.exe 95 PID 3540 wrote to memory of 748 3540 arthe.exe 95 PID 3540 wrote to memory of 1872 3540 arthe.exe 96 PID 3540 wrote to memory of 1872 3540 arthe.exe 96 PID 3540 wrote to memory of 3816 3540 arthe.exe 97 PID 3540 wrote to memory of 3816 3540 arthe.exe 97 PID 3816 wrote to memory of 1508 3816 cmd.exe 101 PID 3816 wrote to memory of 1508 3816 cmd.exe 101 PID 3816 wrote to memory of 536 3816 cmd.exe 102 PID 3816 wrote to memory of 536 3816 cmd.exe 102 PID 748 wrote to memory of 3124 748 cmd.exe 103 PID 748 wrote to memory of 3124 748 cmd.exe 103 PID 1872 wrote to memory of 348 1872 cmd.exe 104 PID 1872 wrote to memory of 348 1872 cmd.exe 104 PID 3124 wrote to memory of 4620 3124 net.exe 105 PID 3124 wrote to memory of 4620 3124 net.exe 105 PID 3540 wrote to memory of 3780 3540 arthe.exe 106 PID 3540 wrote to memory of 3780 3540 arthe.exe 106 PID 3780 wrote to memory of 2280 3780 cmd.exe 108 PID 3780 wrote to memory of 2280 3780 cmd.exe 108 PID 3780 wrote to memory of 1748 3780 cmd.exe 109 PID 3780 wrote to memory of 1748 3780 cmd.exe 109 PID 3540 wrote to memory of 3284 3540 arthe.exe 110 PID 3540 wrote to memory of 3284 3540 arthe.exe 110 PID 3284 wrote to memory of 4220 3284 cmd.exe 112 PID 3284 wrote to memory of 4220 3284 cmd.exe 112 PID 3284 wrote to memory of 1472 3284 cmd.exe 113 PID 3284 wrote to memory of 1472 3284 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5096 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\arthe.exe"C:\Users\Admin\AppData\Local\Temp\arthe.exe"1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3540 get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=3540 get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
-
C:\Users\Admin\AppData\Local\Temp\arthe.exe"C:\Users\Admin\AppData\Local\Temp\arthe.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\philhorse" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1972 --field-trial-handle=1976,i,16420787186845195180,13458348089597761291,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\arthe.exe"C:\Users\Admin\AppData\Local\Temp\arthe.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\philhorse" --mojo-platform-channel-handle=2176 --field-trial-handle=1976,i,16420787186845195180,13458348089597761291,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:4620
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\system32\more.commore +13⤵PID:536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:2280
-
-
C:\Windows\system32\more.commore +13⤵PID:1748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:4220
-
-
C:\Windows\system32\more.commore +13⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:4716
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"2⤵PID:4016
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3540 get ExecutablePath"2⤵PID:4820
-
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=3540 get ExecutablePath3⤵PID:2860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:2340
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:1764
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""2⤵PID:3140
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""2⤵PID:3188
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""2⤵PID:1880
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"3⤵PID:3220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""2⤵PID:3700
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"3⤵PID:1748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""2⤵PID:2328
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""2⤵PID:2052
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""2⤵PID:1804
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"3⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""2⤵PID:3032
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""2⤵PID:3448
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""2⤵PID:920
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"3⤵PID:3076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""2⤵PID:840
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""2⤵PID:2792
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"3⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""2⤵PID:2236
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"3⤵PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""2⤵PID:4760
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"3⤵PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""2⤵PID:452
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"3⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""2⤵PID:2668
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"3⤵PID:4100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""2⤵PID:748
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""2⤵PID:3140
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""2⤵PID:1932
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""2⤵PID:3584
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"3⤵PID:3700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""2⤵PID:4988
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""2⤵PID:2304
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""2⤵PID:2028
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""2⤵PID:1804
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"3⤵PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""2⤵PID:2136
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""2⤵PID:4952
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""2⤵PID:920
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""2⤵PID:840
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""2⤵PID:4556
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"3⤵PID:688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""2⤵PID:4124
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""2⤵PID:3548
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"3⤵PID:3244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""2⤵PID:452
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"3⤵PID:1764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""2⤵PID:2668
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"3⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""2⤵PID:748
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"3⤵PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""2⤵PID:4292
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""2⤵PID:1100
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""2⤵PID:3584
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""2⤵PID:8
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"3⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""2⤵PID:2304
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""2⤵PID:2028
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""2⤵PID:4024
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""2⤵PID:708
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"3⤵PID:112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""2⤵PID:4952
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\crLZsPrqAO0O_tezmp.ps1""2⤵PID:1132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\crLZsPrqAO0O_tezmp.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mullvad account get"2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""2⤵PID:4612
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "function Get-AntiVirusProduct {3⤵
- Command and Scripting Interpreter: PowerShell
PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"2⤵PID:4620
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵PID:1776
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetuprAfumE /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe /f"2⤵PID:1676
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetuprAfumE /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe /f3⤵
- Adds Run key to start application
PID:1416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetuprAfumE /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\" /F /rl highest"2⤵PID:4448
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc onlogon /tn WindowsDriverSetuprAfumE /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\" /F /rl highest3⤵PID:3884
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn WindowsDriverSetuprAfumE /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\" /F /rl highest4⤵
- Scheduled Task/Job: Scheduled Task
PID:1308
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\"""2⤵
- Hide Artifacts: Hidden Files and Directories
PID:4972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\""3⤵
- Hide Artifacts: Hidden Files and Directories
PID:4864 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe4⤵
- Views/modifies file attributes
PID:5096
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\arthe.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""2⤵PID:4220
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "3⤵
- Command and Scripting Interpreter: PowerShell
PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4864
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4908
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:656
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4928
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3288
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2668
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3576
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4000
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2668
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3576
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1504
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1136
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2488
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3032
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:656
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4356
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3884
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1416
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3544
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2256
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4720
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2124
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:920
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2488
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3008
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2916
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3596
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3756
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4672
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:436
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4556
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4928
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1320
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2916
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:840
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4016
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3544
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3288
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4768
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3340
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:376
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD58d460ce715a00afd56cda62e926b8b17
SHA13aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22
SHA256195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb
SHA5121b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
64B
MD5052b68d98977d4f52cc6afabfa743b06
SHA163b671a71cc5ec6b76218b0094784a5e21e08e7f
SHA256199ac916bb90b9b2107eb749d5c65411c387c7d59f0a2d19d17674983287116a
SHA512e20517e1d3b755c17c617f9cbab3de19a4b29fc16a3422bbde30530130c2865173b85ee24e336b20c4706740250bc062f789d0c6989d4ed15c6f8527033693af
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
125KB
MD5d6c776d3e3d45398909b8089339cffed
SHA11273ed2ed41e60d5829acb44bdf3b944be9ba4c5
SHA256edce4206cca72b8358ba58e757cd312d2b9226845bc6f19f8f1ea9692a4dae93
SHA51234124efe5f1ba8b7f49cff1105d4e3e3c71354e1099952a7300fb84c62b178ebd32545ca4f03fa8f7c903f1f6ae18980c6146cba25bc2e92674a9c42bcd93965
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
435KB
MD506b060ca310dca88cc9ed5591304daa8
SHA1a6a1f2f92fb1c5be275460afaa580f5bd3717c57
SHA256a5319a502b249214cef4cee0dbc44621eb80a828fccef0a13d99ad75f397fdab
SHA5127638210edeca0f14b4a29c7c1248fc1a85e04c047d755ed2390ed0e0c6d606d8e44aa1358892c34bb112e01ab79b91fdebefad769edaec0e3d1c527077ed144b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
728B
MD59ca2397248158659136fef01c5a637dc
SHA1460011b47ee64faa06807d7aea191bcafb8b340c
SHA256bdeb565cf7b528e7b533dda9d236e3572ea25ada06299a51b20aa1f9796ec46f
SHA5129e80d39ad6c526853c0be9deeea118546b6c4af8fdded54925585e41573ce1ac34d2652a0100d217c2e41e2026dfa0d4b94cff4f31f02a529569a143f1905206
-
Filesize
153KB
MD56dc80629358026270df0694074b8a18f
SHA149e0e9ec3c1aace0cb84b9f1f0fffa060ab31036
SHA2569a19f419905559e6ca56e81937e273984b2f110103890ca761043cae71133a9e
SHA5124804a5423a720b2e8ceab41c48cdddfa529d8cfff100de5a2810f20a016f33ffdd6732f39349428cd62fcf067ea0957bbecddc11b8462bad06c0f92055654a22
-
Filesize
2KB
MD5b26501fe967cb723a913312c45c750ad
SHA15295ea2f9d28dc2ca33f974dbdcf082c1f78f2c7
SHA2568ce5bf5b36a9bc1e16091332385279bbd51f7b003b479be5bb21285cdceea411
SHA512f325c52780263ba23f7baeb7169324031d9d52333946867cd98b8950a11e736b131b913b77f025a10b8c9cae9d1fca18f3dd9c34d3f16ce8e12a42e67f3e1d6e
-
Filesize
219B
MD5ac6b6f59ddc7026c649a1bfaaa39a14c
SHA15f6ca81e044bc02d62795cfd2c8594bcb5f49826
SHA256298d9621236f28ac95c118d2cc5d65535535b3d116f4fb8a3efb21369ce51f10
SHA5128a92f1433e03dc4e07f03f290aef25dc45e777a7d5826835f3ff9b9d2fcc80cb074582ad373a6f4118d86dbc735f5b423998bdf723ee6633d32e12a122c17df2
-
Filesize
434KB
MD50084355bdd2f6ba36ac9f97f996a3248
SHA1acbeb7875080e79f60b15ee31f562c01b8ec95ff
SHA2569bd88552e597dfaf6be67d3d9058b7c76559de10d9c016afad7c005f2ef3e4ef
SHA512787309c1ce798c20d9c3c82947898804e04dc451af1c13ce8f118a8cadb5f194413215608358f13fb295010f062d3d58ae69a3b1eb8b873a5a87f103dff6e331