hxxps://cdn[.]gilcdn[.]com/ContentMediaGenericFiles/97ae67c92f24b86e55231b388a333ef0-Full[.]rar?w=1&h=1&Expires=1723851283&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9jZG4uZ2lsY2RuLmNvbS8qIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzIzODUxMjgzfX19XX0_&Signature=bsTetsdepm7zPBKRI6HQCJXXzn8efqxsoGbb6SqyoMB1i7zNm0D1Q-v2BhdPvPZMrmW9DHUkXpFQ~BacOM7QhlZYbR1ycbS8CCR9Py65khAz39WN~16hyaadft~QZ-o7E3x-oPS02RUVSgodf7Dkws1WaMLk9Q0~HGNp-3fe3gu4bhD~BjKRX2uyE~CRLDFRz1jpgfXNGheQLrRccrhj17hTrOVbtUSCGWv-sa9C8BfwFjhgOlqF1sqzJevkaCaDG0eduVbCcBHzgJOq~kzZjKVOvBbLVMNiPM6NL-aFq5Q-xk3LAs-xgf-eBnfSu0yrD9cvMGvuYeBThW5U9lYt1g__&Key-Pair-Id=K1FFKFZRWAZSB

Analysis

max time kernel
300s
max time network
279s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16/08/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.gilcdn.com/ContentMediaGenericFiles/97ae67c92f24b86e55231b388a333ef0-Full.rar?w=1&h=1&Expires=1723851283&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9jZG4uZ2lsY2RuLmNvbS8qIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzIzODUxMjgzfX19XX0_&Signature=bsTetsdepm7zPBKRI6HQCJXXzn8efqxsoGbb6SqyoMB1i7zNm0D1Q-v2BhdPvPZMrmW9DHUkXpFQ~BacOM7QhlZYbR1ycbS8CCR9Py65khAz39WN~16hyaadft~QZ-o7E3x-oPS02RUVSgodf7Dkws1WaMLk9Q0~HGNp-3fe3gu4bhD~BjKRX2uyE~CRLDFRz1jpgfXNGheQLrRccrhj17hTrOVbtUSCGWv-sa9C8BfwFjhgOlqF1sqzJevkaCaDG0eduVbCcBHzgJOq~kzZjKVOvBbLVMNiPM6NL-aFq5Q-xk3LAs-xgf-eBnfSu0yrD9cvMGvuYeBThW5U9lYt1g__&Key-Pair-Id=K1FFKFZRWAZSB

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Clipboard Data 1 TTPs 64 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3756	cmd.exe
3380	cmd.exe
2092	cmd.exe
4944	powershell.exe
2408	cmd.exe
2540	cmd.exe
1896	powershell.exe
3500	powershell.exe
5108	Process not Found
752	powershell.exe
4560	powershell.exe
2500	powershell.exe
3280	cmd.exe
1032	cmd.exe
2672	cmd.exe
1680	cmd.exe
1904	powershell.exe
240	cmd.exe
2928	powershell.exe
2856	cmd.exe
4432	Process not Found
3896	cmd.exe
3748	powershell.exe
3120	powershell.exe
4988	cmd.exe
2536	cmd.exe
2240	powershell.exe
1524	cmd.exe
2316	cmd.exe
4128	powershell.exe
3144	cmd.exe
3212	cmd.exe
444	powershell.exe
752	powershell.exe
3884	powershell.exe
4944	powershell.exe
4816	powershell.exe
4604	powershell.exe
1432	cmd.exe
2500	cmd.exe
1672	cmd.exe
1664	cmd.exe
4536	cmd.exe
3372	cmd.exe
4940	powershell.exe
3212	Process not Found
752	cmd.exe
3420	powershell.exe
2732	Process not Found
2972	cmd.exe
3380	powershell.exe
1204	powershell.exe
1044	cmd.exe
2892	cmd.exe
2708	powershell.exe
1104	cmd.exe
1424	cmd.exe
2116	cmd.exe
5084	cmd.exe
904	powershell.exe
2124	powershell.exe
4804	powershell.exe
3896	cmd.exe
3380	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Beta_Setup.exe	Beta_Setup.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Beta_Setup.exe\:Zone.Identifier:$DATA	Beta_Setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 3 IoCs

pid	Process
2696	7z2408-x64.exe
4184	7zFM.exe
3512	Beta_Setup.exe

Loads dropped DLL 5 IoCs

pid	Process
3324	Process not Found
4184	7zFM.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupxrHvwB = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\Beta_Setup.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3588	powershell.exe
4232	powershell.exe
752	powershell.exe
340	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
57	raw.githubusercontent.com
3	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
40	ipinfo.io

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4692	cmd.exe
340	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO85000BB8\Beta_Setup.exe:Zone.Identifier	7zFM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beta_Setup.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2736	cmd.exe
4872	netsh.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Beta_Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Beta_Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Beta_Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Beta_Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Beta_Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Beta_Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Beta_Setup.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3432	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683189609497366"	chrome.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zO85000BB8\Beta_Setup.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe\:Zone.Identifier:$DATA	Beta_Setup.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Beta_Setup.exe\:Zone.Identifier:$DATA	Beta_Setup.exe
File opened for modification	C:\Users\Admin\Downloads\Beta_Setup.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	chrome.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
928	chrome.exe
928	chrome.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe
3684	Beta_Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4184	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
928	chrome.exe
928	chrome.exe
928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeCreatePagefilePrivilege	928	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
4184	7zFM.exe
4184	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	7z2408-x64.exe
3548	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 2452	928	chrome.exe	81
PID 928 wrote to memory of 2452	928	chrome.exe	81
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 1856	928	chrome.exe	82
PID 928 wrote to memory of 4228	928	chrome.exe	83
PID 928 wrote to memory of 4228	928	chrome.exe	83
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84
PID 928 wrote to memory of 1328	928	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1528	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.gilcdn.com/ContentMediaGenericFiles/97ae67c92f24b86e55231b388a333ef0-Full.rar?w=1&h=1&Expires=1723851283&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9jZG4uZ2lsY2RuLmNvbS8qIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzIzODUxMjgzfX19XX0_&Signature=bsTetsdepm7zPBKRI6HQCJXXzn8efqxsoGbb6SqyoMB1i7zNm0D1Q-v2BhdPvPZMrmW9DHUkXpFQ~BacOM7QhlZYbR1ycbS8CCR9Py65khAz39WN~16hyaadft~QZ-o7E3x-oPS02RUVSgodf7Dkws1WaMLk9Q0~HGNp-3fe3gu4bhD~BjKRX2uyE~CRLDFRz1jpgfXNGheQLrRccrhj17hTrOVbtUSCGWv-sa9C8BfwFjhgOlqF1sqzJevkaCaDG0eduVbCcBHzgJOq~kzZjKVOvBbLVMNiPM6NL-aFq5Q-xk3LAs-xgf-eBnfSu0yrD9cvMGvuYeBThW5U9lYt1g__&Key-Pair-Id=K1FFKFZRWAZSB
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffbbfcc40,0x7ffffbbfcc4c,0x7ffffbbfcc58
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1744 /prefetch:2
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1972,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2004,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2944,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5020,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5164,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3328,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5328,i,6729620796550809136,16549218625574817237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4264 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4772
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Beta_Setup.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4184
- C:\Users\Admin\AppData\Local\Temp\7zO85000BB8\Beta_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO85000BB8\Beta_Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\2kkdmpbqzCIpaXa6tgRRmaAgGVY\Beta_Setup.exe
    C:\Users\Admin\AppData\Local\Temp\2kkdmpbqzCIpaXa6tgRRmaAgGVY\Beta_Setup.exe
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:3684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3512 get ExecutablePath"
      4⤵
      PID:3420
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where processid=3512 get ExecutablePath
        5⤵
        
        PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\2kkdmpbqzCIpaXa6tgRRmaAgGVY\Beta_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\2kkdmpbqzCIpaXa6tgRRmaAgGVY\Beta_Setup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\convirtierais" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2136 --field-trial-handle=2132,i,1976046197349552450,744114697069176635,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\2kkdmpbqzCIpaXa6tgRRmaAgGVY\Beta_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\2kkdmpbqzCIpaXa6tgRRmaAgGVY\Beta_Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\convirtierais" --mojo-platform-channel-handle=2380 --field-trial-handle=2132,i,1976046197349552450,744114697069176635,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:2964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "net session"
      4⤵
      PID:4048
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        
        PID:4940
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:576
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
      4⤵
      PID:4432
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic OS get caption, osarchitecture
        5⤵
        
        PID:1892
    - - C:\Windows\system32\more.com
        
        more +1
        5⤵
        
        PID:1128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
      4⤵
      PID:4708
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        5⤵
        
        PID:840
    - - C:\Windows\system32\more.com
        
        more +1
        5⤵
        
        PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
      4⤵
      PID:4568
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3432
    - - C:\Windows\system32\more.com
        
        more +1
        5⤵
        
        PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
      4⤵
      PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3512 get ExecutablePath"
      4⤵
      PID:3788
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic process where processid=3512 get ExecutablePath
        5⤵
        
        PID:2736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
      4⤵
      PID:2772
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        5⤵
        
        PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
      4⤵
      PID:4720
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
        5⤵
        
        PID:3572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
      4⤵
      PID:1376
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
        5⤵
        
        PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
      4⤵
      PID:3516
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
        5⤵
        
        PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
      4⤵
      PID:4700
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
        5⤵
        
        PID:1852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
      4⤵
      PID:3548
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
        5⤵
        
        PID:1084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
      4⤵
      PID:4808
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
        5⤵
        
        PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
      4⤵
      PID:3756
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
        5⤵
        
        PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
      4⤵
      PID:3156
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
        5⤵
        
        PID:4516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
      4⤵
      PID:1364
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
        5⤵
        
        PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
      4⤵
      PID:844
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
        5⤵
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
      4⤵
      PID:2880
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
        5⤵
        
        PID:4252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
      4⤵
      PID:3080
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
        5⤵
        
        PID:1204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)""
      4⤵
      PID:2992
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)"
        5⤵
        
        PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
      4⤵
      PID:3860
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
        5⤵
        
        PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
      4⤵
      PID:3492
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
        5⤵
        
        PID:3436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
      4⤵
      PID:1840
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
        5⤵
        
        PID:3852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
      4⤵
      PID:3500
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
        5⤵
        
        PID:2708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
      4⤵
      PID:1212
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
        5⤵
        
        PID:132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
      4⤵
      PID:4488
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
        5⤵
        
        PID:3748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
      4⤵
      PID:236
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
        5⤵
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
      4⤵
      PID:5080
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
        5⤵
        
        PID:4388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
      4⤵
      PID:1660
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
        5⤵
        
        PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
      4⤵
      PID:3320
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
        5⤵
        
        PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
      4⤵
      PID:2556
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
        5⤵
        
        PID:3864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
      4⤵
      PID:1160
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
        5⤵
        
        PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
      4⤵
      PID:3680
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
        5⤵
        
        PID:2788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
      4⤵
      PID:2620
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
        5⤵
        
        PID:1436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
      4⤵
      PID:808
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
        5⤵
        
        PID:924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
      4⤵
      PID:3572
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
        5⤵
        
        PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
      4⤵
      PID:3776
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
        5⤵
        
        PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
      4⤵
      PID:3032
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
        5⤵
        
        PID:3904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
      4⤵
      PID:2540
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
      4⤵
      PID:1852
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
        5⤵
        
        PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
      4⤵
      PID:840
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
        5⤵
        
        PID:2736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
      4⤵
      PID:1032
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
        5⤵
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
      4⤵
      PID:4872
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
        5⤵
        
        PID:848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
      4⤵
      PID:4124
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
        5⤵
        
        PID:4844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
      4⤵
      PID:2772
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
        5⤵
        
        PID:3380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
      4⤵
      PID:3864
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
        5⤵
        
        PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
      4⤵
      PID:4212
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
        5⤵
        
        PID:1240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
      4⤵
      PID:2788
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
        5⤵
        
        PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
      4⤵
      PID:1436
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
        5⤵
        
        PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
      4⤵
      PID:924
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
        5⤵
        
        PID:3436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
      4⤵
      PID:4548
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
        5⤵
        
        PID:3852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\Mxz5BBcZshkw_tezmp.ps1""
      4⤵
      PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\Mxz5BBcZshkw_tezmp.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
      4⤵
      PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
      4⤵
      PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "function Get-AntiVirusProduct {
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2736
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
      4⤵
      PID:1528
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
        5⤵
        
        PID:4876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupxrHvwB /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe /f"
      4⤵
      PID:2996
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupxrHvwB /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe /f
        5⤵
        Adds Run key to start application
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupxrHvwB /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe\" /F /rl highest"
      4⤵
      PID:3500
    - - C:\Windows\system32\cmd.exe
        
        cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupxrHvwB /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe\" /F /rl highest
        5⤵
        
        PID:4432
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc onlogon /tn WindowsDriverSetupxrHvwB /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe\" /F /rl highest
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe\"""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:4692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe\""
        5⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Hidden Files and Directories
        
        PID:340
      - C:\Windows\system32\attrib.exe
        
        "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Beta_Setup.exe
        6⤵
        Views/modifies file attributes
        
        PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Beta_Setup.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
      4⤵
      PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:3748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:3884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:2708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:3120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:3380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:4988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:5084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:2500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:1204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:32
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:4536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:3500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:32
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:5080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:5008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:5016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:1904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:3740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:3172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:4932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:2536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        
        PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7785e9c7baa7cb83d988419642c2d4f8

SHA1
cd69c5058cece15645a318e9c9b39bd238106dd9

SHA256
de76bc07a00ce03b35a011a7447eebee9f9d4b4403cb1086ef0e065fbaad2852

SHA512
2c222d13f8d9bac7450e09a233497da9310bc243b615273c8802334ceffc555c0035cceb531de85011e14a684f13e96feb8870274443ac98d6982cd0e74afb97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
59b0e3d5f131ba6f21e0b41528e67820

SHA1
2954260981ace1167669aa4f14ccc630b4f59582

SHA256
9ad06238abf956f8d03091236dbf13f845c5b72aa9d398a5c23e4afc4fe5d98d

SHA512
661fa7a57db6c9514a714346de3da981418be50f9016821caab09e65fa5fac4748f6e5bc794a6de1ed3846d8416d631807d8e2e41f7c58166a4cd5551bbe2227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b5e7e41545d0d8028056421ec3cace3c

SHA1
c5b9821807565f42063583bd5bd0662d74fed53b

SHA256
7ccdb58c851d30243a2947a7b519696a3a14bdc4f3d2e5904d455f746a6dd932

SHA512
6a403f97321606d1be31570404afd4353a22af59ee0db358c1366095bea1696e54220f637acf501048bb5b60e318dd80a1f7e2134669008937a1f04959285e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
60a4a9be8bea3d1bc978fb06b0b1ed26

SHA1
84a89388238da3a13958e5216410219a4244c992

SHA256
0a5970570ac7d5b6429d9f024a71ed699115be117509360e9219d0dd496a2dcd

SHA512
f7d2e66c2fc652b9d03161991cdad1cc068b6e022b639544ff09b63ee3aea6c9fb1dc3800f75e39f7a7e0016d21c03a4059336d3ee32d1c943a8013caeea30ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ac604108-642b-4a02-94d5-b1fb57e9ec77.tmp

Filesize
1KB

MD5
9e21e2ac7b294db5fc6d96860824ea1a

SHA1
2fe43aa5ce8746dd32221c7b9cada6d5e5240df3

SHA256
f6b2680c9dc165254a2d0f2006fd6e5ce99125f6ba5fac0eec20b55913511854

SHA512
c7487c6d4856221f0d8248202c01ba9e4b0fc0855a3622e8035b5407bdd56eb18d8771e9b99110b22259f4ea4a470a178dc91561c0135d52e7e3b8dd264eb5ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ab001b07581e4a88fbc4da0f26000dd

SHA1
3c59892ba5ceef20700fb628641f7eed33397e32

SHA256
18a1393d0dc5255f3fde0b1710876e528fe85e343cf2d6bf3927f38953e7095f

SHA512
a5065694c0ccae72ebebf61617776a71c15b0910a8fcf18a42b318035350c57a845fe37f32c68c311d9a103041758dcc7975b74c14ef6a12add826fe3548a3b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e90f0534740e1339c3b6e7346b595b99

SHA1
806fbe03711eac6d45bbb37137d27b7e50e9b8cd

SHA256
a4f094e300c5ba2ed2f984584a61bd072bafbbc592452c6697ce0c6a3e3c566a

SHA512
7a8883a51d3e6de63345b00f3d16e450f060654bd68901e0388620ad9dc46755590b5815727a550e1dfcd6f2e2741a7c4fd363b8ae62d5d9b1c62518adac592a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
984668b8d079bb0300533f3052bee07a

SHA1
2bde06a444deb846eae07c5eb7aeffc146a32932

SHA256
465d4237b6376609f087ee9a406281775d41026abb662932bb1ac3072ee34aae

SHA512
f2d6bd1a98854cc496ce746aaf056d91aec83ca81e693a57c56a15b59232763625bcaba2896fab29425dae331c46c38f5e64bf84099bd82e0eb1c83ea236aa8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3848fb99431bb77fb9cab33cc9acdf2a

SHA1
07e4154fd79752ca3a1b7c5cdde272bfa6c584e4

SHA256
8a2da163cabc44feab6501e247a6b5f9ed34e09d6d7f1b7c3e0475dac037c2bb

SHA512
73b9857b0d3f58de5ecedd94e81436e3b721599744cff5374e3821101444dfda6e5f8de117fe97723534d5d9bbf83685fda9537ecff2a7559533feb1f2924f0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43fe922ebbd6139ef7556a8a2bdcc782

SHA1
4ef77ca16dabe3fcfa8cb4b3f3b177cf4bcc3f04

SHA256
8f4c5fb065acb704122a9a8b1c3aa816488718fc5233d350cea1fe167e6264c8

SHA512
b8215cc3d9a0ffc6c07e6c72e2713318296c340b91301bcd8d50d5a9d8092241aaec1da7cea82944a896fac2f59a33910affdf1bfc8c3cff1580d3459744c57d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca7d4d437aac2f78491f4d63cbe66822

SHA1
44da2f0f2a1e30c840008a5ecd3cacbb5aa780b8

SHA256
b59de7208022df8c05ceed18f935ed93b3fc61d0a96bacc1fafca1009622c8d9

SHA512
240c35a04b1e495f9f3af1d5cc66bb718c17b52cff3ec003c290127ac6812690cd07f4eec91f4d2c1a5565576243eeeac80a2748694304fa629eca29e2fee5b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b13d4bcec200beaf2fcd80359b50b12c

SHA1
e4d03f31e2fe730d3a886cfe6265faf783982c33

SHA256
66f28cbde8c04d05af300a6a090d3384d7a6b9bc82579337a3840d9e86120da4

SHA512
53789fdf0fe6a6324f60abee57b398a92fec7fc0ef5bd631acbcb932c0b0415ca8309e23738efd917b266b1deb618bead1a710a24f42dcc006586a7c79d069a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
39ccaeaea4a79bce1ed0634534b7271a

SHA1
01b58d32a5fb430c64b8226030af8b3debdaa711

SHA256
c2941a27e5f65cbbed23a4860efd8234e5b14b70750baea6e312f87e2a319633

SHA512
e364d9f1c19d653d6ceda0376a7d69ed0811b6208f083554093cec16baff91e16ed2910288d4a8f8cdeb57f5999b9560e071d3ac48da821c174d5e743166ef91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e5843696d70df783161968b9f9e1759

SHA1
6e7ab4a749b553ff66e8914563ca9f98cabe3ecd

SHA256
51f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719

SHA512
5b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7f81c3ba861f1a722421cc95d105fecd

SHA1
1e6e9a67f190deb407c6fdbd224ce90b833490e0

SHA256
cebaa9795b2039a5784a0edcbf89cb298259a34c5aa7f89ba31344203ea37a81

SHA512
1d44780b537d2797aaa636d913e2fb5dc00484d3bf9cbf42a67c7cd7988ff756326e9725b832df85c0c2fb1bc7c25f1ffa66e9b3ae5127868f38a88546a7555d

Download Submit
C:\Users\Admin\AppData\Local\Temp\43d7d357-7af6-4282-b5a7-2b1d438d6c6b.tmp.node

Filesize
124KB

MD5
34ee1dcfe49e1c3306ff85b1294b249f

SHA1
792accfd0c787e4c21878d1b687bc5923d342bd6

SHA256
1d2645acca88ff50904482d0fdf2f2cdcd51893cb097efbcdef2d9ef4c8df4c7

SHA512
e17fafead78ecfa31e8fdffdc0ab2a1fd1c8a73087f36cd84164d7c164db4a35300639bc94af1ca4acef9145d3b60ba891033cc95e199e8fd7f8bcb7a3d1eecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5af8f63a-d1c4-4250-9836-fdafee9c192c.tmp.node

Filesize
153KB

MD5
6441481481e2046e5bf487f2384f242b

SHA1
6532a247e2c9a71cd94b341941181b0b6093b598

SHA256
d53314659b962d0c0634f350834d1f197871804b6921b7149c2684475d9f3c82

SHA512
ff27d52072817a337a746afc9861b34eceff6b65dc83d069b94f91a47813da9cca4cc8e7b9c5dd8fb5a976580a6048e8384f206e2c449a3c0138c7454f1eb5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO85000BB8\Beta_Setup.exe:Zone.Identifier

Filesize
693B

MD5
ff401bfbf2e8a3dc89b3dd6a7138fcc3

SHA1
bc7812a6b23b48a66375a024e1efc080e26a48b8

SHA256
acf71f1a85dd201b46b7a6c99a5f67134bf751f349bf11f8f5e4dfd7bb58f9ab

SHA512
3208a4ba4ce4facca045a1fb33d6b3052c8ead0853014001e58b6da6965ce05b10d2136c5f477d460111bc79c476fb8295e3eac5eb57e6e857d24cac48d50408

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_194.zip

Filesize
203KB

MD5
4e58aaeba1719f5c8dcc82d334bbe528

SHA1
62f72d5aae8ebf5702f5a231d2c7b34faef935bc

SHA256
088a8198d157c103211333840676e04a591496b5e6da82540e0db8357589ebf1

SHA512
0b029900f5523017f954cba5b317798707fd49703544cfdeee6bfa0cd402c687180fa71878c1fd5a8a47bef70a5fdede6fa7311f6a11e62e802596a7eb30bf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxz5BBcZshkw_tezmp.ps1

Filesize
728B

MD5
2d0d78354585967af67dd4ed9fe8f049

SHA1
96709a9d5a9f968706449354916afddb0968a7a2

SHA256
a94a7c0916ed93297881e8ba7a607bde1f1ad6429de0c6741f5796870560ed87

SHA512
4db58ad8302936481c26659f2d08816c1437434bddadcc63f8a56237116177a22cfc2aa7940d72b9bdb6f0ed54d5dfc5aa0db06fb8602714f82c4aa655c5bcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYPBRS526q1w8MDzTfMq\Browsers\Bookmarks.txt

Filesize
2KB

MD5
4980c7d8e389330835d799d67101aa5c

SHA1
f0ad25c9d26496e6c6858cc09275558262daaab2

SHA256
f30b41e3996286d27dc7dda98a6d50288b3b9639e500dc833d9a52cd75d09b26

SHA512
9d6586dd794181b05f632c4e44920f3a63f6cc18fee03aed0679f782f03e9b9d4663d2f1179d3d4936dd3a5bd57a0f6ad5e14e2500c78962304b4c9e61c970b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYPBRS526q1w8MDzTfMq\Browsers\Downloads.txt

Filesize
2KB

MD5
ed8ae306141aad9c61dfa92ba85932bc

SHA1
a3a49011096bcd7fdc95d1351e0f440769af03a7

SHA256
7193d9a46acdf3159a0f5b61d0af666c3795ea1fb5a71504455f93e91aff7b90

SHA512
7eb5547933417d283f6eb5d1ae6ae0de83313696f6c1ce07d54373ad127ea4b13469afa42f08cc60badf64d3b3e4e39a6ab45f02e6850b5017c49fe8761de4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYPBRS526q1w8MDzTfMq\Browsers\History.txt

Filesize
1KB

MD5
cee05623810f0c90329245dfbad16a77

SHA1
29f03038090defe98fced0e80287fb77d0b90b30

SHA256
9a0a2bf36c13750115131bdf0037eb46927abda31ca1714dd36e8d60cdb612d8

SHA512
e02607f2e476c3805f5f4879c84e3c7fd41227318586968132f2194ad7fdd3fb3da0005fcb8314546b5216958c81c54bc336b1e3ba27e0c0e564b1184c7c0db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYPBRS526q1w8MDzTfMq\System\WMCTSIEG - 2024-08-16_215736.png

Filesize
204KB

MD5
4c2f4c2c14621510fc81afc8cecd53ea

SHA1
ab1d6ed03d09bc5ab2e852535b792e544d526a22

SHA256
d7378def46b12d2fac4a0562f2b5d7838986e4a86b526b19785f4a873a4ab7b8

SHA512
ad6febb4f68c5b27c25ed15c558206063fd6ef9e34f3a70067e023b7c8a882f9e7b32d230688798521735001ae3e2b11c1412ff40c961e42481ca1ddefcbf77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r544ah5u.pmu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\de7abb3d-1763-441a-bb24-26882660d520.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\Downloads\Beta_Setup.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 353228.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
memory/3512-435-0x0000000074A20000-0x0000000074A94000-memory.dmp

Filesize
464KB

Download
memory/4488-412-0x0000013F7D370000-0x0000013F7D392000-memory.dmp

Filesize
136KB

Download