Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
59s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/06/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
arceus-x.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
arceus-x.exe
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
arthe.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
arthe.exe
Resource
win11-20240611-en
General
-
Target
arthe.exe
-
Size
164.7MB
-
MD5
a91754a220567176afbd95d7f6115ca5
-
SHA1
dcf7fb81a8ca7f9a49872da181684fc030475c39
-
SHA256
663c217b28522ff706fd3c88f440153e3380387790468a778253170335fd962f
-
SHA512
fc2ee5c820cc1a92609388ad6b0ef03256142a6b3c961db3659fbafdba7360df8236a90ae670ed7d9f0412a395b46e47c6ac863fbb7c287cba942a032fc8d172
-
SSDEEP
1572864:1xGeD65iMor30uXkaYCELW0ejTV1FQ3mRVvHTxnHqVstmZC/wu32Q/djfP85WhkF:AeJEhTWTjiWhS
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arthe.exe arthe.exe -
Loads dropped DLL 3 IoCs
pid Process 864 arthe.exe 864 arthe.exe 864 arthe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupLvPZUU = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\arthe.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 8 raw.githubusercontent.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 20 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ipinfo.io 9 ipinfo.io -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 1628 cmd.exe 1360 powershell.exe -
pid Process 3384 powershell.exe 4928 powershell.exe 2340 powershell.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString arthe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz arthe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString arthe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 arthe.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5056 WMIC.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 600 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 1172 powershell.exe 1172 powershell.exe 3096 powershell.exe 3096 powershell.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe 864 arthe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 240 WMIC.exe Token: SeSecurityPrivilege 240 WMIC.exe Token: SeTakeOwnershipPrivilege 240 WMIC.exe Token: SeLoadDriverPrivilege 240 WMIC.exe Token: SeSystemProfilePrivilege 240 WMIC.exe Token: SeSystemtimePrivilege 240 WMIC.exe Token: SeProfSingleProcessPrivilege 240 WMIC.exe Token: SeIncBasePriorityPrivilege 240 WMIC.exe Token: SeCreatePagefilePrivilege 240 WMIC.exe Token: SeBackupPrivilege 240 WMIC.exe Token: SeRestorePrivilege 240 WMIC.exe Token: SeShutdownPrivilege 240 WMIC.exe Token: SeDebugPrivilege 240 WMIC.exe Token: SeSystemEnvironmentPrivilege 240 WMIC.exe Token: SeRemoteShutdownPrivilege 240 WMIC.exe Token: SeUndockPrivilege 240 WMIC.exe Token: SeManageVolumePrivilege 240 WMIC.exe Token: 33 240 WMIC.exe Token: 34 240 WMIC.exe Token: 35 240 WMIC.exe Token: 36 240 WMIC.exe Token: SeIncreaseQuotaPrivilege 240 WMIC.exe Token: SeSecurityPrivilege 240 WMIC.exe Token: SeTakeOwnershipPrivilege 240 WMIC.exe Token: SeLoadDriverPrivilege 240 WMIC.exe Token: SeSystemProfilePrivilege 240 WMIC.exe Token: SeSystemtimePrivilege 240 WMIC.exe Token: SeProfSingleProcessPrivilege 240 WMIC.exe Token: SeIncBasePriorityPrivilege 240 WMIC.exe Token: SeCreatePagefilePrivilege 240 WMIC.exe Token: SeBackupPrivilege 240 WMIC.exe Token: SeRestorePrivilege 240 WMIC.exe Token: SeShutdownPrivilege 240 WMIC.exe Token: SeDebugPrivilege 240 WMIC.exe Token: SeSystemEnvironmentPrivilege 240 WMIC.exe Token: SeRemoteShutdownPrivilege 240 WMIC.exe Token: SeUndockPrivilege 240 WMIC.exe Token: SeManageVolumePrivilege 240 WMIC.exe Token: 33 240 WMIC.exe Token: 34 240 WMIC.exe Token: 35 240 WMIC.exe Token: 36 240 WMIC.exe Token: SeIncreaseQuotaPrivilege 4264 WMIC.exe Token: SeSecurityPrivilege 4264 WMIC.exe Token: SeTakeOwnershipPrivilege 4264 WMIC.exe Token: SeLoadDriverPrivilege 4264 WMIC.exe Token: SeSystemProfilePrivilege 4264 WMIC.exe Token: SeSystemtimePrivilege 4264 WMIC.exe Token: SeProfSingleProcessPrivilege 4264 WMIC.exe Token: SeIncBasePriorityPrivilege 4264 WMIC.exe Token: SeCreatePagefilePrivilege 4264 WMIC.exe Token: SeBackupPrivilege 4264 WMIC.exe Token: SeRestorePrivilege 4264 WMIC.exe Token: SeShutdownPrivilege 4264 WMIC.exe Token: SeDebugPrivilege 4264 WMIC.exe Token: SeSystemEnvironmentPrivilege 4264 WMIC.exe Token: SeRemoteShutdownPrivilege 4264 WMIC.exe Token: SeUndockPrivilege 4264 WMIC.exe Token: SeManageVolumePrivilege 4264 WMIC.exe Token: 33 4264 WMIC.exe Token: 34 4264 WMIC.exe Token: 35 4264 WMIC.exe Token: 36 4264 WMIC.exe Token: SeIncreaseQuotaPrivilege 1660 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 864 wrote to memory of 348 864 arthe.exe 77 PID 864 wrote to memory of 348 864 arthe.exe 77 PID 348 wrote to memory of 240 348 cmd.exe 79 PID 348 wrote to memory of 240 348 cmd.exe 79 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4220 864 arthe.exe 80 PID 864 wrote to memory of 4236 864 arthe.exe 81 PID 864 wrote to memory of 4236 864 arthe.exe 81 PID 864 wrote to memory of 1780 864 arthe.exe 83 PID 864 wrote to memory of 1780 864 arthe.exe 83 PID 864 wrote to memory of 3360 864 arthe.exe 85 PID 864 wrote to memory of 3360 864 arthe.exe 85 PID 864 wrote to memory of 2224 864 arthe.exe 86 PID 864 wrote to memory of 2224 864 arthe.exe 86 PID 1780 wrote to memory of 1684 1780 cmd.exe 89 PID 1780 wrote to memory of 1684 1780 cmd.exe 89 PID 2224 wrote to memory of 4264 2224 cmd.exe 90 PID 2224 wrote to memory of 4264 2224 cmd.exe 90 PID 3360 wrote to memory of 1660 3360 cmd.exe 91 PID 3360 wrote to memory of 1660 3360 cmd.exe 91 PID 2224 wrote to memory of 3424 2224 cmd.exe 93 PID 2224 wrote to memory of 3424 2224 cmd.exe 93 PID 1684 wrote to memory of 3440 1684 net.exe 92 PID 1684 wrote to memory of 3440 1684 net.exe 92 PID 864 wrote to memory of 2604 864 arthe.exe 94 PID 864 wrote to memory of 2604 864 arthe.exe 94 PID 2604 wrote to memory of 4232 2604 cmd.exe 96 PID 2604 wrote to memory of 4232 2604 cmd.exe 96 PID 2604 wrote to memory of 1504 2604 cmd.exe 97 PID 2604 wrote to memory of 1504 2604 cmd.exe 97 PID 864 wrote to memory of 896 864 arthe.exe 98 PID 864 wrote to memory of 896 864 arthe.exe 98 PID 896 wrote to memory of 5056 896 cmd.exe 100 PID 896 wrote to memory of 5056 896 cmd.exe 100 PID 896 wrote to memory of 2128 896 cmd.exe 101 PID 896 wrote to memory of 2128 896 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5044 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\arthe.exe"C:\Users\Admin\AppData\Local\Temp\arthe.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=864 get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=864 get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
-
C:\Users\Admin\AppData\Local\Temp\arthe.exe"C:\Users\Admin\AppData\Local\Temp\arthe.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\philhorse" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1896 --field-trial-handle=1900,i,2461506406204417994,15462345428441062138,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\arthe.exe"C:\Users\Admin\AppData\Local\Temp\arthe.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\philhorse" --mojo-platform-channel-handle=2436 --field-trial-handle=1900,i,2461506406204417994,15462345428441062138,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:4236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:3440
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Windows\system32\more.commore +13⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:4232
-
-
C:\Windows\system32\more.commore +13⤵PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:5056
-
-
C:\Windows\system32\more.commore +13⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:2380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"2⤵PID:740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=864 get ExecutablePath"2⤵PID:4844
-
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=864 get ExecutablePath3⤵PID:4792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:1580
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:3040
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""2⤵PID:1028
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""2⤵PID:1804
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""2⤵PID:4004
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""2⤵PID:3624
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""2⤵PID:2436
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"3⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""2⤵PID:1336
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""2⤵PID:5048
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""2⤵PID:2532
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""2⤵PID:2704
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""2⤵PID:2764
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"3⤵PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""2⤵PID:796
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""2⤵PID:2932
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""2⤵PID:4812
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"3⤵PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""2⤵PID:3004
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""2⤵PID:4212
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""2⤵PID:1448
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""2⤵PID:2380
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"3⤵PID:228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""2⤵PID:3032
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""2⤵PID:2944
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""2⤵PID:72
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"3⤵PID:4792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""2⤵PID:2936
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"3⤵PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""2⤵PID:1032
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"3⤵PID:3396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""2⤵PID:4092
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"3⤵PID:3820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""2⤵PID:5108
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"3⤵PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""2⤵PID:908
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"3⤵PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""2⤵PID:3904
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""2⤵PID:2300
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""2⤵PID:2436
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"3⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""2⤵PID:4368
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""2⤵PID:3308
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"3⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""2⤵PID:2532
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"3⤵PID:1636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""2⤵PID:1780
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"3⤵PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""2⤵PID:2764
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"3⤵PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""2⤵PID:2920
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"3⤵PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""2⤵PID:2320
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"3⤵PID:3076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""2⤵PID:4956
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""2⤵PID:1360
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""2⤵PID:4544
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"3⤵PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""2⤵PID:4964
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""2⤵PID:4056
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""2⤵PID:1472
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""2⤵PID:2944
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"3⤵PID:932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""2⤵PID:1152
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\CMj9BY1V4uRa_tezmp.ps1""2⤵PID:4224
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\CMj9BY1V4uRa_tezmp.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mullvad account get"2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""2⤵PID:2080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "function Get-AntiVirusProduct {3⤵
- Command and Scripting Interpreter: PowerShell
PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"2⤵PID:4064
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵PID:4684
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupLvPZUU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe /f"2⤵PID:3260
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupLvPZUU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe /f3⤵
- Adds Run key to start application
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupLvPZUU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\" /F /rl highest"2⤵PID:4688
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupLvPZUU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\" /F /rl highest3⤵PID:2128
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn WindowsDriverSetupLvPZUU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\" /F /rl highest4⤵
- Scheduled Task/Job: Scheduled Task
PID:600
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\"""2⤵
- Hide Artifacts: Hidden Files and Directories
PID:1628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe\""3⤵
- Hide Artifacts: Hidden Files and Directories
PID:1360 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\arthe.exe4⤵
- Views/modifies file attributes
PID:5044
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\arthe.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""2⤵PID:4228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "3⤵
- Command and Scripting Interpreter: PowerShell
PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1268
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5008
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2164
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4756
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3008
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4616
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4248
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3160
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4596
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1640
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3112
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3360
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1144
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4664
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2448
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3396
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2788
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1864
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1640
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:72
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4824
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3500
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4664
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:584
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4036
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1212
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3484
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4756
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2508
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4448
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2816
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3172
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1368
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1980
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2448
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4276
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1144
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2508
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4488
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3588
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4752
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4896
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2436
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4320
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5048
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD56e5843696d70df783161968b9f9e1759
SHA16e7ab4a749b553ff66e8914563ca9f98cabe3ecd
SHA25651f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719
SHA5125b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
125KB
MD5d6c776d3e3d45398909b8089339cffed
SHA11273ed2ed41e60d5829acb44bdf3b944be9ba4c5
SHA256edce4206cca72b8358ba58e757cd312d2b9226845bc6f19f8f1ea9692a4dae93
SHA51234124efe5f1ba8b7f49cff1105d4e3e3c71354e1099952a7300fb84c62b178ebd32545ca4f03fa8f7c903f1f6ae18980c6146cba25bc2e92674a9c42bcd93965
-
Filesize
728B
MD53bdb4acb30b66e04490cca9daa5ed55f
SHA17e54b6a043aaf4e05b7c41a8d8b65d4eb0bd9847
SHA256c6ebfa1f886ef4a8b95272fc4c4b51213fd53954113925de6a0bc0a089b5c7b5
SHA5122c8cc6a6bf378b67260a4a00aa6bd7b17cb70c884b677bdeb5bfc5c9e52f0ef0edf96ad30baa852221308313ca1c5a9f48215e7a2c81e548615649eeedd7cdb8
-
Filesize
406KB
MD514395b0a43e71f793274e221b917b2c9
SHA18dd91631f9a8647bf9bc3ee38717428eb0a64eb4
SHA2560f5b0f2af1ca3b324892797815f87ddb5d4beb36f5735c18c0250b8893e2e50a
SHA51290665ede2d4058269679ca84b8bc455a803e29b28aabe662d298c7422da08ec0f4d2bfc9b879e941640dcdb0c6dca052fb88ab3aef4865342c84cde553376277
-
Filesize
2KB
MD5dce29c08aae4beae5f112ebbc3ded9e9
SHA18d1181f990cbe2129cadc62e69c53d06da11d2db
SHA2563738fe60a406e6f7494f8c65b5cbd43f635736a4839bfd318962809c311c5741
SHA512e627da73f4c6bb352d0a46a84250f98ba31559e595bb5f7af410de1f5fa99c4f0cfc19ee78270cc3416e393c1e85fd6ef24b5493e6d03ba9998a3014184d9eaa
-
Filesize
219B
MD58c399c44ccb5fbbebf82dfcdb25a89eb
SHA10c2a1a92d635f879fdc9ecb04387360062972b0f
SHA256cd7248ee481d8d8f50e56511aa5fbdd1df0479c6bb1058e671c4ca447ac8a1fa
SHA512de2c37834cc5cf836be7c1ae8640f7b549f56a9d64769e591e5c8a6853f28315f468cb6e4ddb0dad0fca459b5351f583e2b43cec812c472dccce2d37da0b6660
-
Filesize
406KB
MD52a2af5ccc719fd1df420ddd976d23d46
SHA15db868a9166b74dbd991f18363d85fad79d4de41
SHA256ad7b479ecc354a4b16b1436dd9cbec42cd8fa3517ec2aef469959e8824ed49d6
SHA5122195d1d09a28a237932b063dd8d975ec2d64a736aed8fd16f62197bbf3bc3c6392dba3bcc8cf915441004f686d7723f524883568531093ec6c4065580fbaede4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
153KB
MD56dc80629358026270df0694074b8a18f
SHA149e0e9ec3c1aace0cb84b9f1f0fffa060ab31036
SHA2569a19f419905559e6ca56e81937e273984b2f110103890ca761043cae71133a9e
SHA5124804a5423a720b2e8ceab41c48cdddfa529d8cfff100de5a2810f20a016f33ffdd6732f39349428cd62fcf067ea0957bbecddc11b8462bad06c0f92055654a22