Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3Files/Apps/7z.bat
windows7-x64
10Files/Apps...F4.bat
windows7-x64
8Files/Apps/bts.bat
windows7-x64
3Files/Apps/chrome.bat
windows7-x64
8Files/Apps/ctt.bat
windows7-x64
3Files/Apps...ch.bat
windows7-x64
6Files/Apps...ox.bat
windows7-x64
1Files/Apps/flux.bat
windows7-x64
3Files/Apps/geek.bat
windows7-x64
10Files/Apps/git.bat
windows7-x64
8Files/Apps/logo.bat
windows7-x64
3Files/Apps/pcm.bat
windows7-x64
8Files/Apps/ps7.bat
windows7-x64
10Files/Apps/pswin7.bat
windows7-x64
10Files/Apps/winget.bat
windows7-x64
3Files/Apps...ys.bat
windows7-x64
3Files/Back...ry.bat
windows7-x64
1Files/Comm...me.bat
windows7-x64
1Files/Comp...ps.bat
windows7-x64
1Files/Comp...up.bat
windows7-x64
1Files/GPEE.bat
windows7-x64
1Files/IPGe...or.exe
windows7-x64
3Files/IPStealer.bat
windows7-x64
1Files/Impo...ps.bat
windows7-x64
1Files/InfoFinder.bat
windows7-x64
1Files/Malw...et.bat
windows7-x64
1Files/Newt...on.dll
windows7-x64
1Files/Pass...or.bat
windows7-x64
1Files/RAUP.bat
windows7-x64
1Files/SMBB...er.bat
windows7-x64
1Files/SSAMBYO.bat
windows7-x64
8Files/Schn...s).bat
windows7-x64
1Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
Files/Apps/7z.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Files/Apps/SuperF4.bat
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Files/Apps/bts.bat
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Files/Apps/chrome.bat
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
Files/Apps/ctt.bat
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Files/Apps/fastfetch.bat
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
Files/Apps/firefox.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Files/Apps/flux.bat
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
Files/Apps/geek.bat
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Files/Apps/git.bat
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
Files/Apps/logo.bat
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Files/Apps/pcm.bat
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
Files/Apps/ps7.bat
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Files/Apps/pswin7.bat
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
Files/Apps/winget.bat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Files/Apps/wintoys.bat
Resource
win7-20240704-en
Behavioral task
behavioral17
Sample
Files/BackupRegistry.bat
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Files/CommandLineGame.bat
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Files/Components/Import Backups.bat
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Files/Components/Registry Backup.bat
Resource
win7-20240729-en
Behavioral task
behavioral21
Sample
Files/GPEE.bat
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Files/IPGeolocator.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
Files/IPStealer.bat
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Files/ImportBackups.bat
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
Files/InfoFinder.bat
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Files/Malwarebytes-Premium-Reset.bat
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
Files/Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Files/PasswordGenerator.bat
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
Files/RAUP.bat
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Files/SMBBruteforcer.bat
Resource
win7-20240708-en
Behavioral task
behavioral31
Sample
Files/SSAMBYO.bat
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Files/Schnuker/Files/Run Me (Instructions).bat
Resource
win7-20240903-en
General
-
Target
Files/Apps/geek.bat
-
Size
1KB
-
MD5
7ab38d80aa19a44d6a1c792400a44d15
-
SHA1
9cb921a2a61a9e1e42ef93c2a4d6f505c244a03e
-
SHA256
1c36c6df5dcc675f2f27b95503aadb92b6657f6c130be829605e55ca9b7dafda
-
SHA512
d7740258e28a3e468c33bfb0b47373a364c4fbff432dfe01322bd5b928c45a19fa2e50388aaa8e55d0b72b14b71ff783e9e3348ffdcc084c854b9d0288d694da
Malware Config
Extracted
https://community.chocolatey.org/install.ps1
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 3 2704 powershell.exe 4 2704 powershell.exe 5 1340 powershell.exe 6 1340 powershell.exe 7 1300 powershell.exe 8 1300 powershell.exe 9 1860 powershell.exe 10 1860 powershell.exe 11 2904 powershell.exe 12 2904 powershell.exe 13 2772 powershell.exe 14 2772 powershell.exe 15 3020 powershell.exe 16 3020 powershell.exe 17 1812 powershell.exe 18 1812 powershell.exe 19 2468 powershell.exe 20 2468 powershell.exe 21 1684 powershell.exe 22 1684 powershell.exe 23 1576 powershell.exe 24 1576 powershell.exe 25 1584 powershell.exe 26 1584 powershell.exe 27 1992 powershell.exe 28 1992 powershell.exe 29 1932 powershell.exe 30 1932 powershell.exe 31 1324 powershell.exe 32 1324 powershell.exe 33 1428 powershell.exe 34 1428 powershell.exe 35 2488 powershell.exe 36 2488 powershell.exe 37 2912 powershell.exe 38 2912 powershell.exe 39 1296 powershell.exe 40 1296 powershell.exe 41 2756 powershell.exe 42 2756 powershell.exe 43 1224 powershell.exe 44 1224 powershell.exe 45 956 powershell.exe 46 956 powershell.exe 47 1440 powershell.exe 48 1440 powershell.exe 49 2540 powershell.exe 50 2540 powershell.exe 51 1420 powershell.exe 52 1420 powershell.exe 53 1020 powershell.exe 54 1020 powershell.exe 55 2768 powershell.exe 56 2768 powershell.exe 57 580 powershell.exe 58 580 powershell.exe 59 2560 powershell.exe 60 2560 powershell.exe 61 2160 powershell.exe 62 2160 powershell.exe 63 1360 powershell.exe 64 1360 powershell.exe 65 3056 powershell.exe 66 3056 powershell.exe -
pid Process 440 powershell.exe 1716 powershell.exe 1324 powershell.exe 1864 powershell.exe 1504 powershell.exe 2032 powershell.exe 2772 powershell.exe 2296 powershell.exe 2552 powershell.exe 2704 powershell.exe 2680 powershell.exe 520 powershell.exe 2760 powershell.exe 1604 powershell.exe 1912 powershell.exe 2972 powershell.exe 1920 powershell.exe 2740 powershell.exe 1864 powershell.exe 3004 powershell.exe 2280 powershell.exe 2692 powershell.exe 1848 powershell.exe 2056 powershell.exe 1516 powershell.exe 2924 powershell.exe 1612 powershell.exe 2344 powershell.exe 1420 powershell.exe 264 powershell.exe 1948 powershell.exe 464 powershell.exe 2072 powershell.exe 2200 powershell.exe 2776 powershell.exe 1020 powershell.exe 680 powershell.exe 2380 powershell.exe 1684 powershell.exe 2280 powershell.exe 2508 powershell.exe 1428 powershell.exe 876 powershell.exe 696 powershell.exe 1932 powershell.exe 1584 powershell.exe 2772 powershell.exe 1224 powershell.exe 2796 powershell.exe 2752 powershell.exe 1572 powershell.exe 1488 powershell.exe 1932 powershell.exe 1584 powershell.exe 1972 powershell.exe 2724 powershell.exe 1724 powershell.exe 2512 powershell.exe 2288 powershell.exe 1428 powershell.exe 1044 powershell.exe 2768 powershell.exe 1724 powershell.exe 2832 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1584 powershell.exe 1584 powershell.exe 2704 powershell.exe 2660 powershell.exe 2660 powershell.exe 2660 powershell.exe 1440 powershell.exe 1440 powershell.exe 1340 powershell.exe 2848 powershell.exe 2848 powershell.exe 2848 powershell.exe 860 powershell.exe 860 powershell.exe 1300 powershell.exe 2184 powershell.exe 2184 powershell.exe 2184 powershell.exe 2924 powershell.exe 2924 powershell.exe 1860 powershell.exe 2148 powershell.exe 2148 powershell.exe 2148 powershell.exe 2424 powershell.exe 2424 powershell.exe 2904 powershell.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 1612 powershell.exe 1612 powershell.exe 2772 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 2508 powershell.exe 2508 powershell.exe 3020 powershell.exe 1488 powershell.exe 1488 powershell.exe 1488 powershell.exe 2980 powershell.exe 2980 powershell.exe 1812 powershell.exe 1820 powershell.exe 1820 powershell.exe 1820 powershell.exe 1764 powershell.exe 1764 powershell.exe 2468 powershell.exe 2204 powershell.exe 2204 powershell.exe 2204 powershell.exe 1724 powershell.exe 1724 powershell.exe 1684 powershell.exe 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe 2428 powershell.exe 2428 powershell.exe 1576 powershell.exe 2620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2068 2228 cmd.exe 29 PID 2228 wrote to memory of 2068 2228 cmd.exe 29 PID 2228 wrote to memory of 2068 2228 cmd.exe 29 PID 2228 wrote to memory of 2896 2228 cmd.exe 30 PID 2228 wrote to memory of 2896 2228 cmd.exe 30 PID 2228 wrote to memory of 2896 2228 cmd.exe 30 PID 2896 wrote to memory of 2676 2896 cmd.exe 31 PID 2896 wrote to memory of 2676 2896 cmd.exe 31 PID 2896 wrote to memory of 2676 2896 cmd.exe 31 PID 2228 wrote to memory of 2356 2228 cmd.exe 32 PID 2228 wrote to memory of 2356 2228 cmd.exe 32 PID 2228 wrote to memory of 2356 2228 cmd.exe 32 PID 2228 wrote to memory of 2188 2228 cmd.exe 33 PID 2228 wrote to memory of 2188 2228 cmd.exe 33 PID 2228 wrote to memory of 2188 2228 cmd.exe 33 PID 2228 wrote to memory of 1584 2228 cmd.exe 34 PID 2228 wrote to memory of 1584 2228 cmd.exe 34 PID 2228 wrote to memory of 1584 2228 cmd.exe 34 PID 2228 wrote to memory of 2704 2228 cmd.exe 35 PID 2228 wrote to memory of 2704 2228 cmd.exe 35 PID 2228 wrote to memory of 2704 2228 cmd.exe 35 PID 2228 wrote to memory of 2660 2228 cmd.exe 36 PID 2228 wrote to memory of 2660 2228 cmd.exe 36 PID 2228 wrote to memory of 2660 2228 cmd.exe 36 PID 2660 wrote to memory of 2556 2660 powershell.exe 37 PID 2660 wrote to memory of 2556 2660 powershell.exe 37 PID 2660 wrote to memory of 2556 2660 powershell.exe 37 PID 2556 wrote to memory of 2536 2556 cmd.exe 39 PID 2556 wrote to memory of 2536 2556 cmd.exe 39 PID 2556 wrote to memory of 2536 2556 cmd.exe 39 PID 2556 wrote to memory of 2128 2556 cmd.exe 40 PID 2556 wrote to memory of 2128 2556 cmd.exe 40 PID 2556 wrote to memory of 2128 2556 cmd.exe 40 PID 2128 wrote to memory of 1956 2128 cmd.exe 41 PID 2128 wrote to memory of 1956 2128 cmd.exe 41 PID 2128 wrote to memory of 1956 2128 cmd.exe 41 PID 2556 wrote to memory of 2152 2556 cmd.exe 42 PID 2556 wrote to memory of 2152 2556 cmd.exe 42 PID 2556 wrote to memory of 2152 2556 cmd.exe 42 PID 2556 wrote to memory of 3016 2556 cmd.exe 43 PID 2556 wrote to memory of 3016 2556 cmd.exe 43 PID 2556 wrote to memory of 3016 2556 cmd.exe 43 PID 2556 wrote to memory of 1440 2556 cmd.exe 44 PID 2556 wrote to memory of 1440 2556 cmd.exe 44 PID 2556 wrote to memory of 1440 2556 cmd.exe 44 PID 2556 wrote to memory of 1340 2556 cmd.exe 45 PID 2556 wrote to memory of 1340 2556 cmd.exe 45 PID 2556 wrote to memory of 1340 2556 cmd.exe 45 PID 2556 wrote to memory of 2848 2556 cmd.exe 46 PID 2556 wrote to memory of 2848 2556 cmd.exe 46 PID 2556 wrote to memory of 2848 2556 cmd.exe 46 PID 2848 wrote to memory of 2732 2848 powershell.exe 47 PID 2848 wrote to memory of 2732 2848 powershell.exe 47 PID 2848 wrote to memory of 2732 2848 powershell.exe 47 PID 2732 wrote to memory of 1740 2732 cmd.exe 49 PID 2732 wrote to memory of 1740 2732 cmd.exe 49 PID 2732 wrote to memory of 1740 2732 cmd.exe 49 PID 2732 wrote to memory of 1248 2732 cmd.exe 50 PID 2732 wrote to memory of 1248 2732 cmd.exe 50 PID 2732 wrote to memory of 1248 2732 cmd.exe 50 PID 1248 wrote to memory of 804 1248 cmd.exe 51 PID 1248 wrote to memory of 804 1248 cmd.exe 51 PID 1248 wrote to memory of 804 1248 cmd.exe 51 PID 2732 wrote to memory of 1704 2732 cmd.exe 52
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\chcp.comchcp3⤵PID:2676
-
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2356
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\fltMC.exefltmc4⤵PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp4⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\chcp.comchcp5⤵PID:1956
-
-
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:2152
-
-
C:\Windows\system32\chcp.comchcp 4374⤵PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\fltMC.exefltmc6⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp6⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\chcp.comchcp7⤵PID:804
-
-
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:1704
-
-
C:\Windows\system32\chcp.comchcp 4376⤵PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "7⤵PID:2096
-
C:\Windows\system32\fltMC.exefltmc8⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp8⤵PID:2588
-
C:\Windows\system32\chcp.comchcp9⤵PID:756
-
-
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2468
-
-
C:\Windows\system32\chcp.comchcp 4378⤵PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "9⤵PID:2336
-
C:\Windows\system32\fltMC.exefltmc10⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp10⤵PID:1360
-
C:\Windows\system32\chcp.comchcp11⤵PID:1776
-
-
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:464
-
-
C:\Windows\system32\chcp.comchcp 43710⤵PID:112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))10⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "11⤵PID:888
-
C:\Windows\system32\fltMC.exefltmc12⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp12⤵PID:2952
-
C:\Windows\system32\chcp.comchcp13⤵PID:2400
-
-
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2068
-
-
C:\Windows\system32\chcp.comchcp 43712⤵PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "13⤵PID:2688
-
C:\Windows\system32\fltMC.exefltmc14⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp14⤵PID:2548
-
C:\Windows\system32\chcp.comchcp15⤵PID:2656
-
-
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2504
-
-
C:\Windows\system32\chcp.comchcp 43714⤵PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "15⤵PID:2592
-
C:\Windows\system32\fltMC.exefltmc16⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp16⤵PID:1104
-
C:\Windows\system32\chcp.comchcp17⤵PID:2864
-
-
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2876
-
-
C:\Windows\system32\chcp.comchcp 43716⤵PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))16⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "17⤵PID:1856
-
C:\Windows\system32\fltMC.exefltmc18⤵PID:1660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp18⤵PID:1036
-
C:\Windows\system32\chcp.comchcp19⤵PID:1920
-
-
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1948
-
-
C:\Windows\system32\chcp.comchcp 43718⤵PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned18⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))18⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'18⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "19⤵PID:1132
-
C:\Windows\system32\fltMC.exefltmc20⤵PID:984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp20⤵PID:1324
-
C:\Windows\system32\chcp.comchcp21⤵PID:2084
-
-
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1912
-
-
C:\Windows\system32\chcp.comchcp 43720⤵PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned20⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))20⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'20⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "21⤵PID:2904
-
C:\Windows\system32\fltMC.exefltmc22⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp22⤵PID:2012
-
C:\Windows\system32\chcp.comchcp23⤵PID:2196
-
-
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1508
-
-
C:\Windows\system32\chcp.comchcp 43722⤵PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))22⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'22⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "23⤵PID:2776
-
C:\Windows\system32\fltMC.exefltmc24⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp24⤵PID:2692
-
C:\Windows\system32\chcp.comchcp25⤵PID:2008
-
-
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2600
-
-
C:\Windows\system32\chcp.comchcp 43724⤵PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned24⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))24⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'24⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "25⤵PID:3020
-
C:\Windows\system32\fltMC.exefltmc26⤵PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp26⤵PID:876
-
C:\Windows\system32\chcp.comchcp27⤵PID:2828
-
-
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1368
-
-
C:\Windows\system32\chcp.comchcp 43726⤵PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned26⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))26⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'26⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "27⤵PID:1812
-
C:\Windows\system32\fltMC.exefltmc28⤵PID:1652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp28⤵PID:1532
-
C:\Windows\system32\chcp.comchcp29⤵PID:1048
-
-
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2744
-
-
C:\Windows\system32\chcp.comchcp 43728⤵PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned28⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))28⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'28⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "29⤵PID:2932
-
C:\Windows\system32\fltMC.exefltmc30⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp30⤵PID:2168
-
C:\Windows\system32\chcp.comchcp31⤵PID:1356
-
-
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1632
-
-
C:\Windows\system32\chcp.comchcp 43730⤵PID:404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned30⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))30⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'30⤵
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "31⤵PID:956
-
C:\Windows\system32\fltMC.exefltmc32⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp32⤵PID:1752
-
C:\Windows\system32\chcp.comchcp33⤵PID:1276
-
-
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2432
-
-
C:\Windows\system32\chcp.comchcp 43732⤵PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned32⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))32⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'32⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "33⤵PID:2972
-
C:\Windows\system32\fltMC.exefltmc34⤵PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp34⤵PID:2608
-
C:\Windows\system32\chcp.comchcp35⤵PID:3068
-
-
-
C:\Windows\system32\chcp.comchcp 6500134⤵PID:2624
-
-
C:\Windows\system32\chcp.comchcp 43734⤵PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned34⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))34⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'34⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "35⤵PID:2536
-
C:\Windows\system32\fltMC.exefltmc36⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp36⤵PID:2544
-
C:\Windows\system32\chcp.comchcp37⤵PID:1052
-
-
-
C:\Windows\system32\chcp.comchcp 6500136⤵PID:580
-
-
C:\Windows\system32\chcp.comchcp 43736⤵PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned36⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))36⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'36⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "37⤵PID:2552
-
C:\Windows\system32\fltMC.exefltmc38⤵PID:324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp38⤵PID:2988
-
C:\Windows\system32\chcp.comchcp39⤵PID:3028
-
-
-
C:\Windows\system32\chcp.comchcp 6500138⤵PID:1992
-
-
C:\Windows\system32\chcp.comchcp 43738⤵PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned38⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))38⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'38⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "39⤵PID:2980
-
C:\Windows\system32\fltMC.exefltmc40⤵PID:2588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp40⤵PID:2160
-
C:\Windows\system32\chcp.comchcp41⤵PID:2380
-
-
-
C:\Windows\system32\chcp.comchcp 6500140⤵PID:2532
-
-
C:\Windows\system32\chcp.comchcp 43740⤵PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned40⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))40⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'40⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "41⤵PID:1776
-
C:\Windows\system32\fltMC.exefltmc42⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp42⤵PID:1360
-
C:\Windows\system32\chcp.comchcp43⤵PID:2396
-
-
-
C:\Windows\system32\chcp.comchcp 6500142⤵PID:1324
-
-
C:\Windows\system32\chcp.comchcp 43742⤵PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned42⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))42⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'42⤵
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "43⤵PID:1600
-
C:\Windows\system32\fltMC.exefltmc44⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp44⤵PID:1328
-
C:\Windows\system32\chcp.comchcp45⤵PID:3056
-
-
-
C:\Windows\system32\chcp.comchcp 6500144⤵PID:1428
-
-
C:\Windows\system32\chcp.comchcp 43744⤵PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned44⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))44⤵
- Blocklisted process makes network request
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'44⤵PID:2388
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "45⤵PID:2364
-
C:\Windows\system32\fltMC.exefltmc46⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp46⤵PID:2128
-
C:\Windows\system32\chcp.comchcp47⤵PID:2504
-
-
-
C:\Windows\system32\chcp.comchcp 6500146⤵PID:2188
-
-
C:\Windows\system32\chcp.comchcp 43746⤵PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned46⤵PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))46⤵
- Blocklisted process makes network request
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'46⤵PID:2828
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "47⤵PID:2556
-
C:\Windows\system32\fltMC.exefltmc48⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp48⤵PID:2848
-
C:\Windows\system32\chcp.comchcp49⤵PID:2892
-
-
-
C:\Windows\system32\chcp.comchcp 6500148⤵PID:2152
-
-
C:\Windows\system32\chcp.comchcp 43748⤵PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned48⤵PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))48⤵
- Blocklisted process makes network request
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'48⤵PID:1660
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "49⤵PID:1948
-
C:\Windows\system32\fltMC.exefltmc50⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp50⤵PID:2324
-
C:\Windows\system32\chcp.comchcp51⤵PID:328
-
-
-
C:\Windows\system32\chcp.comchcp 6500150⤵PID:1872
-
-
C:\Windows\system32\chcp.comchcp 43750⤵PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned50⤵PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))50⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:1420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'50⤵PID:1856
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "51⤵PID:1860
-
C:\Windows\system32\fltMC.exefltmc52⤵PID:788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp52⤵PID:1868
-
C:\Windows\system32\chcp.comchcp53⤵PID:2092
-
-
-
C:\Windows\system32\chcp.comchcp 6500152⤵PID:2148
-
-
C:\Windows\system32\chcp.comchcp 43752⤵PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned52⤵PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))52⤵
- Blocklisted process makes network request
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'52⤵PID:996
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "53⤵PID:2036
-
C:\Windows\system32\fltMC.exefltmc54⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp54⤵PID:1504
-
C:\Windows\system32\chcp.comchcp55⤵PID:2408
-
-
-
C:\Windows\system32\chcp.comchcp 6500154⤵PID:1788
-
-
C:\Windows\system32\chcp.comchcp 43754⤵PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned54⤵PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))54⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'54⤵PID:2500
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "55⤵PID:2664
-
C:\Windows\system32\fltMC.exefltmc56⤵PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp56⤵PID:2056
-
C:\Windows\system32\chcp.comchcp57⤵PID:3044
-
-
-
C:\Windows\system32\chcp.comchcp 6500156⤵PID:2236
-
-
C:\Windows\system32\chcp.comchcp 43756⤵PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned56⤵PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))56⤵
- Blocklisted process makes network request
PID:580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'56⤵PID:3008
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "57⤵PID:2884
-
C:\Windows\system32\fltMC.exefltmc58⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp58⤵PID:2912
-
C:\Windows\system32\chcp.comchcp59⤵PID:1248
-
-
-
C:\Windows\system32\chcp.comchcp 6500158⤵PID:2644
-
-
C:\Windows\system32\chcp.comchcp 43758⤵PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned58⤵PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))58⤵
- Blocklisted process makes network request
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'58⤵PID:1048
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "59⤵PID:608
-
C:\Windows\system32\fltMC.exefltmc60⤵PID:2720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp60⤵PID:2740
-
C:\Windows\system32\chcp.comchcp61⤵PID:1820
-
-
-
C:\Windows\system32\chcp.comchcp 6500160⤵PID:1340
-
-
C:\Windows\system32\chcp.comchcp 43760⤵PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned60⤵PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))60⤵
- Blocklisted process makes network request
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'60⤵PID:1524
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "61⤵PID:632
-
C:\Windows\system32\fltMC.exefltmc62⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp62⤵PID:2220
-
C:\Windows\system32\chcp.comchcp63⤵PID:2180
-
-
-
C:\Windows\system32\chcp.comchcp 6500162⤵PID:2344
-
-
C:\Windows\system32\chcp.comchcp 43762⤵PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned62⤵
- Command and Scripting Interpreter: PowerShell
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))62⤵
- Blocklisted process makes network request
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'62⤵PID:2044
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "63⤵PID:1200
-
C:\Windows\system32\fltMC.exefltmc64⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp64⤵PID:1224
-
C:\Windows\system32\chcp.comchcp65⤵PID:2284
-
-
-
C:\Windows\system32\chcp.comchcp 6500164⤵PID:996
-
-
C:\Windows\system32\chcp.comchcp 43764⤵PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned64⤵
- Command and Scripting Interpreter: PowerShell
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))64⤵
- Blocklisted process makes network request
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'64⤵PID:2296
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "65⤵PID:2216
-
C:\Windows\system32\fltMC.exefltmc66⤵PID:2520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp66⤵PID:956
-
C:\Windows\system32\chcp.comchcp67⤵PID:2788
-
-
-
C:\Windows\system32\chcp.comchcp 6500166⤵PID:2500
-
-
C:\Windows\system32\chcp.comchcp 43766⤵PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned66⤵PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))66⤵
- Command and Scripting Interpreter: PowerShell
PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'66⤵PID:768
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "67⤵PID:1152
-
C:\Windows\system32\fltMC.exefltmc68⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp68⤵PID:1044
-
C:\Windows\system32\chcp.comchcp69⤵PID:1368
-
-
-
C:\Windows\system32\chcp.comchcp 6500168⤵PID:2524
-
-
C:\Windows\system32\chcp.comchcp 43768⤵PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned68⤵
- Command and Scripting Interpreter: PowerShell
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))68⤵
- Command and Scripting Interpreter: PowerShell
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'68⤵PID:2252
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "69⤵PID:1264
-
C:\Windows\system32\fltMC.exefltmc70⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp70⤵PID:1928
-
C:\Windows\system32\chcp.comchcp71⤵PID:2876
-
-
-
C:\Windows\system32\chcp.comchcp 6500170⤵PID:1480
-
-
C:\Windows\system32\chcp.comchcp 43770⤵PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned70⤵PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))70⤵PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'70⤵PID:2936
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "71⤵PID:1816
-
C:\Windows\system32\fltMC.exefltmc72⤵PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp72⤵PID:2372
-
C:\Windows\system32\chcp.comchcp73⤵PID:1356
-
-
-
C:\Windows\system32\chcp.comchcp 6500172⤵PID:572
-
-
C:\Windows\system32\chcp.comchcp 43772⤵PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned72⤵PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))72⤵
- Command and Scripting Interpreter: PowerShell
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'72⤵PID:2144
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "73⤵PID:2140
-
C:\Windows\system32\fltMC.exefltmc74⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp74⤵PID:2808
-
C:\Windows\system32\chcp.comchcp75⤵PID:2280
-
-
-
C:\Windows\system32\chcp.comchcp 6500174⤵PID:2940
-
-
C:\Windows\system32\chcp.comchcp 43774⤵PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned74⤵PID:632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))74⤵PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'74⤵PID:1780
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "75⤵PID:2784
-
C:\Windows\system32\fltMC.exefltmc76⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp76⤵PID:1576
-
C:\Windows\system32\chcp.comchcp77⤵PID:2780
-
-
-
C:\Windows\system32\chcp.comchcp 6500176⤵PID:1608
-
-
C:\Windows\system32\chcp.comchcp 43776⤵PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned76⤵PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))76⤵PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'76⤵PID:2608
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "77⤵PID:3016
-
C:\Windows\system32\fltMC.exefltmc78⤵PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp78⤵PID:580
-
C:\Windows\system32\chcp.comchcp79⤵PID:2824
-
-
-
C:\Windows\system32\chcp.comchcp 6500178⤵PID:2920
-
-
C:\Windows\system32\chcp.comchcp 43778⤵PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned78⤵PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))78⤵PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'78⤵PID:3028
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "79⤵PID:2000
-
C:\Windows\system32\fltMC.exefltmc80⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp80⤵PID:1300
-
C:\Windows\system32\chcp.comchcp81⤵PID:2352
-
-
-
C:\Windows\system32\chcp.comchcp 6500180⤵PID:1972
-
-
C:\Windows\system32\chcp.comchcp 43780⤵PID:1424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned80⤵
- Command and Scripting Interpreter: PowerShell
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))80⤵PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'80⤵PID:2132
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "81⤵PID:2348
-
C:\Windows\system32\fltMC.exefltmc82⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp82⤵PID:1792
-
C:\Windows\system32\chcp.comchcp83⤵PID:2924
-
-
-
C:\Windows\system32\chcp.comchcp 6500182⤵PID:2552
-
-
C:\Windows\system32\chcp.comchcp 43782⤵PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned82⤵PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))82⤵PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'82⤵PID:2184
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "83⤵PID:2424
-
C:\Windows\system32\fltMC.exefltmc84⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp84⤵PID:1360
-
C:\Windows\system32\chcp.comchcp85⤵PID:2376
-
-
-
C:\Windows\system32\chcp.comchcp 6500184⤵PID:1752
-
-
C:\Windows\system32\chcp.comchcp 43784⤵PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned84⤵PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))84⤵PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'84⤵PID:1716
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "85⤵PID:2624
-
C:\Windows\system32\fltMC.exefltmc86⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp86⤵PID:1728
-
C:\Windows\system32\chcp.comchcp87⤵PID:892
-
-
-
C:\Windows\system32\chcp.comchcp 6500186⤵PID:3056
-
-
C:\Windows\system32\chcp.comchcp 43786⤵PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned86⤵PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))86⤵PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'86⤵PID:1604
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "87⤵PID:2128
-
C:\Windows\system32\fltMC.exefltmc88⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp88⤵PID:264
-
C:\Windows\system32\chcp.comchcp89⤵PID:1104
-
-
-
C:\Windows\system32\chcp.comchcp 6500188⤵PID:528
-
-
C:\Windows\system32\chcp.comchcp 43788⤵PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned88⤵PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))88⤵PID:2852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'88⤵PID:2536
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "89⤵PID:1704
-
C:\Windows\system32\fltMC.exefltmc90⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp90⤵PID:1244
-
C:\Windows\system32\chcp.comchcp91⤵PID:3048
-
-
-
C:\Windows\system32\chcp.comchcp 6500190⤵PID:1924
-
-
C:\Windows\system32\chcp.comchcp 43790⤵PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned90⤵
- Command and Scripting Interpreter: PowerShell
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))90⤵PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'90⤵PID:2832
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "91⤵PID:1916
-
C:\Windows\system32\fltMC.exefltmc92⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp92⤵PID:2592
-
C:\Windows\system32\chcp.comchcp93⤵PID:1712
-
-
-
C:\Windows\system32\chcp.comchcp 6500192⤵PID:2588
-
-
C:\Windows\system32\chcp.comchcp 43792⤵PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned92⤵PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))92⤵PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'92⤵PID:1324
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "93⤵PID:2344
-
C:\Windows\system32\fltMC.exefltmc94⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp94⤵PID:1824
-
C:\Windows\system32\chcp.comchcp95⤵PID:3004
-
-
-
C:\Windows\system32\chcp.comchcp 6500194⤵PID:1148
-
-
C:\Windows\system32\chcp.comchcp 43794⤵PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned94⤵
- Command and Scripting Interpreter: PowerShell
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))94⤵
- Command and Scripting Interpreter: PowerShell
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'94⤵PID:2396
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "95⤵PID:984
-
C:\Windows\system32\fltMC.exefltmc96⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp96⤵PID:1348
-
C:\Windows\system32\chcp.comchcp97⤵PID:944
-
-
-
C:\Windows\system32\chcp.comchcp 6500196⤵PID:2012
-
-
C:\Windows\system32\chcp.comchcp 43796⤵PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned96⤵
- Command and Scripting Interpreter: PowerShell
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))96⤵PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'96⤵PID:2196
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "97⤵PID:2412
-
C:\Windows\system32\fltMC.exefltmc98⤵PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp98⤵PID:2508
-
C:\Windows\system32\chcp.comchcp99⤵PID:2648
-
-
-
C:\Windows\system32\chcp.comchcp 6500198⤵PID:2796
-
-
C:\Windows\system32\chcp.comchcp 43798⤵PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned98⤵PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))98⤵PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'98⤵PID:2568
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "99⤵PID:2524
-
C:\Windows\system32\fltMC.exefltmc100⤵PID:324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp100⤵PID:2888
-
C:\Windows\system32\chcp.comchcp101⤵PID:2692
-
-
-
C:\Windows\system32\chcp.comchcp 65001100⤵PID:2228
-
-
C:\Windows\system32\chcp.comchcp 437100⤵PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned100⤵PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))100⤵
- Command and Scripting Interpreter: PowerShell
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'100⤵PID:2912
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "101⤵PID:2876
-
C:\Windows\system32\fltMC.exefltmc102⤵PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp102⤵PID:1660
-
C:\Windows\system32\chcp.comchcp103⤵PID:328
-
-
-
C:\Windows\system32\chcp.comchcp 65001102⤵PID:1340
-
-
C:\Windows\system32\chcp.comchcp 437102⤵PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned102⤵
- Command and Scripting Interpreter: PowerShell
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))102⤵PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'102⤵PID:1524
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "103⤵PID:1356
-
C:\Windows\system32\fltMC.exefltmc104⤵PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp104⤵PID:2124
-
C:\Windows\system32\chcp.comchcp105⤵PID:2116
-
-
-
C:\Windows\system32\chcp.comchcp 65001104⤵PID:2204
-
-
C:\Windows\system32\chcp.comchcp 437104⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned104⤵PID:352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))104⤵PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'104⤵PID:1816
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "105⤵PID:632
-
C:\Windows\system32\fltMC.exefltmc106⤵PID:824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp106⤵PID:1860
-
C:\Windows\system32\chcp.comchcp107⤵PID:2464
-
-
-
C:\Windows\system32\chcp.comchcp 65001106⤵PID:3012
-
-
C:\Windows\system32\chcp.comchcp 437106⤵PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned106⤵
- Command and Scripting Interpreter: PowerShell
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))106⤵PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'106⤵PID:3052
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "107⤵PID:2056
-
C:\Windows\system32\fltMC.exefltmc108⤵PID:2600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp108⤵PID:1684
-
C:\Windows\system32\chcp.comchcp109⤵PID:2036
-
-
-
C:\Windows\system32\chcp.comchcp 65001108⤵PID:2772
-
-
C:\Windows\system32\chcp.comchcp 437108⤵PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned108⤵PID:976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))108⤵PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'108⤵PID:2460
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "109⤵PID:580
-
C:\Windows\system32\fltMC.exefltmc110⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp110⤵PID:2804
-
C:\Windows\system32\chcp.comchcp111⤵PID:2364
-
-
-
C:\Windows\system32\chcp.comchcp 65001110⤵PID:2872
-
-
C:\Windows\system32\chcp.comchcp 437110⤵PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned110⤵
- Command and Scripting Interpreter: PowerShell
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))110⤵PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'110⤵PID:3008
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "111⤵PID:756
-
C:\Windows\system32\fltMC.exefltmc112⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp112⤵PID:2972
-
C:\Windows\system32\chcp.comchcp113⤵PID:2968
-
-
-
C:\Windows\system32\chcp.comchcp 65001112⤵PID:592
-
-
C:\Windows\system32\chcp.comchcp 437112⤵PID:1296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned112⤵PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))112⤵PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'112⤵PID:2588
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "113⤵PID:1792
-
C:\Windows\system32\fltMC.exefltmc114⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp114⤵PID:988
-
C:\Windows\system32\chcp.comchcp115⤵PID:664
-
-
-
C:\Windows\system32\chcp.comchcp 65001114⤵PID:1868
-
-
C:\Windows\system32\chcp.comchcp 437114⤵PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned114⤵PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))114⤵PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'114⤵PID:2184
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "115⤵PID:912
-
C:\Windows\system32\fltMC.exefltmc116⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp116⤵PID:2376
-
C:\Windows\system32\chcp.comchcp117⤵PID:2284
-
-
-
C:\Windows\system32\chcp.comchcp 65001116⤵PID:2060
-
-
C:\Windows\system32\chcp.comchcp 437116⤵PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned116⤵PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))116⤵
- Command and Scripting Interpreter: PowerShell
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'116⤵PID:1788
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "117⤵PID:1780
-
C:\Windows\system32\fltMC.exefltmc118⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp118⤵PID:864
-
C:\Windows\system32\chcp.comchcp119⤵PID:2640
-
-
-
C:\Windows\system32\chcp.comchcp 65001118⤵PID:2952
-
-
C:\Windows\system32\chcp.comchcp 437118⤵PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned118⤵
- Command and Scripting Interpreter: PowerShell
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))118⤵PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'118⤵PID:2504
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "119⤵PID:520
-
C:\Windows\system32\fltMC.exefltmc120⤵PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp120⤵PID:1088
-
C:\Windows\system32\chcp.comchcp121⤵PID:1556
-
-
-
C:\Windows\system32\chcp.comchcp 65001120⤵PID:2596
-
-
C:\Windows\system32\chcp.comchcp 437120⤵PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy AllSigned120⤵
- Command and Scripting Interpreter: PowerShell
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))120⤵
- Command and Scripting Interpreter: PowerShell
PID:464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'120⤵PID:956
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "121⤵PID:3028
-
C:\Windows\system32\fltMC.exefltmc122⤵PID:2128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-