bda512b2e0b17d5222586854c8d87566feec49798e6a4a7c7664a4ac737c93f8

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NekozRealistic.exe
Size

164.7MB
MD5

f80b2ee7c52e1060fd2a2151a96acea6
SHA1

c8439c74096888c6983cf1e7a623697260e51b51
SHA256

07da39ecec383765b3ccada1e47272a8ec4b636e25a9a175953e135611b77636
SHA512

7ff0491572a26c5edf07fa3a4e28ac517447cb5f48ed2a8f36c01e303b1b0962a75982f092d1c58090ccf4ab4ef92c312e47d8e3fa165b2bd9ec196991430f94
SSDEEP

1572864:ImIh9FimkfWTs6+LkanRWYS8a4lN+WTi6qSFK2u73JvPaKD2JsR2/tVBcpZOcrQD:2sFWY7ihS4kVP

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	NekozRealistic.exe

Clipboard Data 1 TTPs 64 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1684	cmd.exe
3576	cmd.exe
3304	cmd.exe
4436	cmd.exe
3356	powershell.exe
3744	cmd.exe
3284	powershell.exe
228	cmd.exe
2208	cmd.exe
3548	cmd.exe
4432	cmd.exe
2632	cmd.exe
4448	powershell.exe
3760	powershell.exe
3740	powershell.exe
1848	powershell.exe
3220	powershell.exe
4384	cmd.exe
3224	cmd.exe
2844	powershell.exe
1652	powershell.exe
1168	powershell.exe
3900	powershell.exe
1876	cmd.exe
2208	powershell.exe
4716	cmd.exe
4448	cmd.exe
2320	cmd.exe
4644	powershell.exe
4028	powershell.exe
3740	cmd.exe
4420	cmd.exe
2028	powershell.exe
4692	cmd.exe
536	powershell.exe
1328	cmd.exe
4088	powershell.exe
2312	cmd.exe
4212	cmd.exe
1236	powershell.exe
1908	cmd.exe
1472	powershell.exe
4892	cmd.exe
3604	powershell.exe
2536	powershell.exe
3496	powershell.exe
2616	powershell.exe
536	powershell.exe
4836	cmd.exe
1352	powershell.exe
1232	powershell.exe
1588	powershell.exe
1724	powershell.exe
1292	cmd.exe
460	powershell.exe
2632	powershell.exe
1464	powershell.exe
2656	powershell.exe
4532	cmd.exe
4448	powershell.exe
4880	powershell.exe
4140	powershell.exe
1232	cmd.exe
748	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NekozRealistic.exe	NekozRealistic.exe

Loads dropped DLL 3 IoCs

pid	Process
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupEEZ029 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\NekozRealistic.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
68	raw.githubusercontent.com
72	raw.githubusercontent.com
73	raw.githubusercontent.com
74	raw.githubusercontent.com
84	raw.githubusercontent.com
86	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ipinfo.io
38	ipinfo.io

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4244	cmd.exe
4984	powershell.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4028	cmd.exe
4524	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1184	powershell.exe
1500	powershell.exe
4764	powershell.exe
4524	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2796	cmd.exe
2320	netsh.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	NekozRealistic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	NekozRealistic.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	NekozRealistic.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NekozRealistic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	NekozRealistic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NekozRealistic.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	NekozRealistic.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
396	WMIC.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe
4656	NekozRealistic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1396	WMIC.exe
Token: SeSecurityPrivilege	1396	WMIC.exe
Token: SeTakeOwnershipPrivilege	1396	WMIC.exe
Token: SeLoadDriverPrivilege	1396	WMIC.exe
Token: SeSystemProfilePrivilege	1396	WMIC.exe
Token: SeSystemtimePrivilege	1396	WMIC.exe
Token: SeProfSingleProcessPrivilege	1396	WMIC.exe
Token: SeIncBasePriorityPrivilege	1396	WMIC.exe
Token: SeCreatePagefilePrivilege	1396	WMIC.exe
Token: SeBackupPrivilege	1396	WMIC.exe
Token: SeRestorePrivilege	1396	WMIC.exe
Token: SeShutdownPrivilege	1396	WMIC.exe
Token: SeDebugPrivilege	1396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1396	WMIC.exe
Token: SeRemoteShutdownPrivilege	1396	WMIC.exe
Token: SeUndockPrivilege	1396	WMIC.exe
Token: SeManageVolumePrivilege	1396	WMIC.exe
Token: 33	1396	WMIC.exe
Token: 34	1396	WMIC.exe
Token: 35	1396	WMIC.exe
Token: 36	1396	WMIC.exe
Token: SeShutdownPrivilege	4656	NekozRealistic.exe
Token: SeCreatePagefilePrivilege	4656	NekozRealistic.exe
Token: SeIncreaseQuotaPrivilege	1396	WMIC.exe
Token: SeSecurityPrivilege	1396	WMIC.exe
Token: SeTakeOwnershipPrivilege	1396	WMIC.exe
Token: SeLoadDriverPrivilege	1396	WMIC.exe
Token: SeSystemProfilePrivilege	1396	WMIC.exe
Token: SeSystemtimePrivilege	1396	WMIC.exe
Token: SeProfSingleProcessPrivilege	1396	WMIC.exe
Token: SeIncBasePriorityPrivilege	1396	WMIC.exe
Token: SeCreatePagefilePrivilege	1396	WMIC.exe
Token: SeBackupPrivilege	1396	WMIC.exe
Token: SeRestorePrivilege	1396	WMIC.exe
Token: SeShutdownPrivilege	1396	WMIC.exe
Token: SeDebugPrivilege	1396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1396	WMIC.exe
Token: SeRemoteShutdownPrivilege	1396	WMIC.exe
Token: SeUndockPrivilege	1396	WMIC.exe
Token: SeManageVolumePrivilege	1396	WMIC.exe
Token: 33	1396	WMIC.exe
Token: 34	1396	WMIC.exe
Token: 35	1396	WMIC.exe
Token: 36	1396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	532	WMIC.exe
Token: SeSecurityPrivilege	532	WMIC.exe
Token: SeTakeOwnershipPrivilege	532	WMIC.exe
Token: SeLoadDriverPrivilege	532	WMIC.exe
Token: SeSystemProfilePrivilege	532	WMIC.exe
Token: SeSystemtimePrivilege	532	WMIC.exe
Token: SeProfSingleProcessPrivilege	532	WMIC.exe
Token: SeIncBasePriorityPrivilege	532	WMIC.exe
Token: SeCreatePagefilePrivilege	532	WMIC.exe
Token: SeBackupPrivilege	532	WMIC.exe
Token: SeRestorePrivilege	532	WMIC.exe
Token: SeShutdownPrivilege	532	WMIC.exe
Token: SeDebugPrivilege	532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	532	WMIC.exe
Token: SeRemoteShutdownPrivilege	532	WMIC.exe
Token: SeUndockPrivilege	532	WMIC.exe
Token: SeManageVolumePrivilege	532	WMIC.exe
Token: 33	532	WMIC.exe
Token: 34	532	WMIC.exe
Token: 35	532	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3284	4656	NekozRealistic.exe	89
PID 4656 wrote to memory of 3284	4656	NekozRealistic.exe	89
PID 3284 wrote to memory of 1396	3284	cmd.exe	91
PID 3284 wrote to memory of 1396	3284	cmd.exe	91
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 3376	4656	NekozRealistic.exe	92
PID 4656 wrote to memory of 4476	4656	NekozRealistic.exe	93
PID 4656 wrote to memory of 4476	4656	NekozRealistic.exe	93
PID 4656 wrote to memory of 1472	4656	NekozRealistic.exe	94
PID 4656 wrote to memory of 1472	4656	NekozRealistic.exe	94
PID 4656 wrote to memory of 4620	4656	NekozRealistic.exe	96
PID 4656 wrote to memory of 4620	4656	NekozRealistic.exe	96
PID 4656 wrote to memory of 2484	4656	NekozRealistic.exe	97
PID 4656 wrote to memory of 2484	4656	NekozRealistic.exe	97
PID 1472 wrote to memory of 3484	1472	cmd.exe	100
PID 1472 wrote to memory of 3484	1472	cmd.exe	100
PID 3484 wrote to memory of 4336	3484	net.exe	101
PID 3484 wrote to memory of 4336	3484	net.exe	101
PID 4620 wrote to memory of 532	4620	cmd.exe	102
PID 4620 wrote to memory of 532	4620	cmd.exe	102
PID 2484 wrote to memory of 3704	2484	cmd.exe	103
PID 2484 wrote to memory of 3704	2484	cmd.exe	103
PID 2484 wrote to memory of 364	2484	cmd.exe	104
PID 2484 wrote to memory of 364	2484	cmd.exe	104
PID 4656 wrote to memory of 2640	4656	NekozRealistic.exe	105
PID 4656 wrote to memory of 2640	4656	NekozRealistic.exe	105
PID 2640 wrote to memory of 548	2640	cmd.exe	107
PID 2640 wrote to memory of 548	2640	cmd.exe	107
PID 2640 wrote to memory of 3044	2640	cmd.exe	108
PID 2640 wrote to memory of 3044	2640	cmd.exe	108
PID 4656 wrote to memory of 3496	4656	NekozRealistic.exe	110
PID 4656 wrote to memory of 3496	4656	NekozRealistic.exe	110
PID 3496 wrote to memory of 396	3496	cmd.exe	112
PID 3496 wrote to memory of 396	3496	cmd.exe	112
PID 3496 wrote to memory of 464	3496	cmd.exe	113
PID 3496 wrote to memory of 464	3496	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NekozRealistic.exe
"C:\Users\Admin\AppData\Local\Temp\NekozRealistic.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4656 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=4656 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Users\Admin\AppData\Local\Temp\NekozRealistic.exe
  "C:\Users\Admin\AppData\Local\Temp\NekozRealistic.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\quaestorship" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1960 --field-trial-handle=1964,i,11863566757333109911,4183227921128429206,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\NekozRealistic.exe
  "C:\Users\Admin\AppData\Local\Temp\NekozRealistic.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\quaestorship" --mojo-platform-channel-handle=2144 --field-trial-handle=1964,i,11863566757333109911,4183227921128429206,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:3704
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:548
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:396
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:5084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4656 get ExecutablePath"
  2⤵
  PID:3120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=4656 get ExecutablePath
    3⤵
    PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:1240
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:1396
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:1392
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:4064
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:4880
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:4488
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:4616
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:3340
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:3336
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)""
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)"
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:2648
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:4860
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:1064
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:1668
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:1108
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:4140
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
  2⤵
  PID:680
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
  2⤵
  PID:3732
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
    3⤵
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:4432
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
  2⤵
  PID:3204
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
    3⤵
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:4892
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:868
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:940
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:3368
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
  2⤵
  PID:2448
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
    3⤵
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:4620
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
  2⤵
  PID:388
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:464
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:2740
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:3452
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
  2⤵
  PID:1500
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
  2⤵
  PID:2320
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:4000
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
  2⤵
  PID:1240
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
    3⤵
    PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:960
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
  2⤵
  PID:1472
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
    3⤵
    PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
  2⤵
  PID:1572
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
    3⤵
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\U2Hom2qPh4nl_tezmp.ps1""
  2⤵
  PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\U2Hom2qPh4nl_tezmp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
  2⤵
  PID:5108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "function Get-AntiVirusProduct {
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:2796
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:3332
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupEEZ029 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe /f"
  2⤵
  PID:1464
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupEEZ029 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe /f
    3⤵
    - Adds Run key to start application
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupEEZ029 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe\" /F /rl highest"
  2⤵
  PID:4616
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupEEZ029 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe\" /F /rl highest
    3⤵
    PID:3460
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupEEZ029 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe\" /F /rl highest
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe\"""
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  PID:4244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe\""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:4984
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\NekozRealistic.exe
      4⤵
      Views/modifies file attributes
      PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NekozRealistic.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutWWgZT.ps1" -RunAsAdministrator"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutWWgZT.ps1" -RunAsAdministrator
    3⤵
    - Access Token Manipulation: Create Process with Token
    - Command and Scripting Interpreter: PowerShell
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:60
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:380
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3592
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2148
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3132
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1876
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4212
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3360
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

Filesize
43KB

MD5
252b4fda07550496d330d819f15ceb3e

SHA1
650584312b310219a26d5fc20cb1804bb6c4dde5

SHA256
39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d

SHA512
a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

Filesize
33KB

MD5
c555604e8b6f818991e186342f856b1b

SHA1
3ae02db8eba2f4fa30cb7567a9f5bf8346faded0

SHA256
012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972

SHA512
01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

Filesize
1KB

MD5
f0f11cd478cc44d518c16820ede9d253

SHA1
cfaf8d2e071f2ade0894578e5b44e02032d27be4

SHA256
321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb

SHA512
ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

Filesize
5KB

MD5
2f0a6a34d9b95bba0e3358ddd41ff2ac

SHA1
f39a9e7aeab9fe86fd9034284516de40186e6e93

SHA256
6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5

SHA512
a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\bg_obf.js

Filesize
87KB

MD5
9ac39dc31635a363e377eda0f6fbe03f

SHA1
29fa5ad995e9ec866ece1d3d0b698fc556580eee

SHA256
9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38

SHA512
0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d460ce715a00afd56cda62e926b8b17

SHA1
3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22

SHA256
195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb

SHA512
1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
160686950a7637fa8f632f3a3556f1f8

SHA1
e74756f9d31a5f014f5cf2d2a22f41267d88b404

SHA256
b0e7b095b7ab92461c7320e1bc23257e8256650cdb0b829dfd26875e1c985f47

SHA512
1ef4c711fe5b4f0dd8644cb4f1eade4743e8aa6f2d962e1189c7e974a00020a6ebdc49657230111155f7447b4f238cd8897b8308e2b2517fba2a590053aff360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3f9a451e5e8209b5c8f53decc67ff536

SHA1
91888c4cd5d95c9bcf92cadaf0dfcb36f544f4e5

SHA256
e307e31059e13102f33bd207c9c0fc25c0ed48614282d7328372961b446d8f82

SHA512
5a8754eb749d167372aab45139444088f4de75f10ed3e0b5403c473a8363b675a70d05e3cbef1a4e5a95b6e54d04db3dc5dea61b9f77bc72fa1d7475185849de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7274a07d1b80de6f66290b47588cee3b

SHA1
d926b384806c755fe6b9d03f68852765aabb5703

SHA256
5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8

SHA512
b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\36b4cbd3-96fe-46a8-a775-d78b11c12b66.tmp.node

Filesize
153KB

MD5
d4d3bee4149f3220daf0c629b8d8ccc5

SHA1
5ea49b4fea9a2744dae04c324be171a5c1547c29

SHA256
c6240befc79685827d0ecf6b31c71d5121b120697dc1f6de0679b32a55255092

SHA512
5f7c2fa50d0d1829bafa4ba9053bdbe90820cff3ec424bbf05c38198852ec9d70987d4521c78cb4cc3a2f1774fb28f7fa9b9f9dcd3071a34a782df6fcb6c215c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7rzzrSD9cxwd9P1ZJa9\Browsers\Bookmarks.txt

Filesize
2KB

MD5
f1098c29ab29eb21e0a755c1a6a61b5d

SHA1
66af2ce22968c2a4c3b839cbb7a11950d09fe741

SHA256
3e7648c0d13afdd31b0e48992c8b96bc4cb18a8cd17e2662d0bd1c01147fcc73

SHA512
d32d34b163cd88d2887fb79cce090ee5be263f92d36c8bcc0c33ad5b33612a00fa7c59a5235582354f79a354c985a86fe636be57dde1227a69fbfb5002588daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7rzzrSD9cxwd9P1ZJa9\System\PVMNUDVD - 2024-08-25_015612.png

Filesize
422KB

MD5
ea5343b24b5b4581809b72ed317f1d9b

SHA1
118fbcbbd396867108a7024bee4da595a7a207a3

SHA256
b1501a626286590adbb602f324ae4c82bcbb7781db828aa385b0d7702bc9f45d

SHA512
a6bda11d982181183a1c69deeb44a105b6b72416886f07888a8d1ac99e58c3c75a00b643eedaffc3c86a3081e0ed4ed04d5dc4769267030f8af615ebea2d9978

Download Submit
C:\Users\Admin\AppData\Local\Temp\U2Hom2qPh4nl_tezmp.ps1

Filesize
728B

MD5
7692f34eb6c31254a26b0523723a5a4c

SHA1
b3ba7846e61832166f5ce3484ab013aac4fd8142

SHA256
ac99cff55cfac72c81f686fd52e8139dac0ca36745da01d7d43d41c7dae6a0b4

SHA512
6f0892da822f78bcdae00a0e5275881a756920791d31988a6f2e04b597a92868a96a907914d94d0cc23fc0ba97879b2ef153e95e56393b7027b23a803342d8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecuzribt.1xz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a96b6407-68be-44ee-a6a8-d26a6a28e41f.tmp.node

Filesize
124KB

MD5
78e8f91e4ee55d918198fcbc2b1037ef

SHA1
c0d98b747d911079d2e546c04c74dd927085df2f

SHA256
a5d80d9fb5c6beb98a86b8049d182424e7969010c6886f6c409901d75a222797

SHA512
00b56106ba7f3483fbed64f8839bb443090f048a321268183a4e01ba9297e8ede722f4c0567f91e65db256bf484034d821ca7bae54500654a6693daeaa295a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3e026c0-ba7c-44e5-809d-17aa29ba284b.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Roaming\salutWWgZT.ps1

Filesize
349B

MD5
28e4eda7451c625bbe806b745753f729

SHA1
d29e9b2c2ac5b10188cbae92cffba6827728543d

SHA256
da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba

SHA512
932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

Download Submit
memory/3728-21-0x0000024674C80000-0x0000024674CA2000-memory.dmp

Filesize
136KB

Download