| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.241.208.183 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.220.101.206 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.220.101.206 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.220.101.206 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.220.101.206 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.220.101.206 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 185.229.90.81 |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774CAC000.00000002.00000001.01000000.00000003.sdmp, ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF77513C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://.css |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774CAC000.00000002.00000001.01000000.00000003.sdmp, ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF77513C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://.jpg |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://169.254.169.254resolve |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://169.254.170.2EnvConfigCredentialsinvalid |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADDD2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADDD2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADDD2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://dlhcij5vw7utoxi2nvqtmf7t27vud2l2euqqm6qqaknpjjcma36pfyad.onion/receive-----BEGIN |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774CAC000.00000002.00000001.01000000.00000003.sdmp, ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF77513C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://html4/loose.dtd |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADDD2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert.com0 |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF77513C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://1098762253.rsc.cdn77.org/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://2019.www.torproject.org/docs/tor-manual.html.en) |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADFC9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexe |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADD76000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://api.msn.com/ |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADD76000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows? |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://blog.torproject.org/lifecycle-of-a-new-relay |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://blog.torproject.org/lifecycle-of-a-new-relayset |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://blog.torproject.org/v2-deprecation-timeline |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://bridges.torproject.org/status?id=%s |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://bridges.torproject.org/status?id=%suninitialized |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/14917. |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/21155. |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/8742. |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://community.torproject.org/relay/setup/snowflake/) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://creativecommons.org/licenses/by-sa/4.0/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://freehaven.net/anonbib/#hs-attack06 |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://github.com/cohosh/snowbox. |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://github.com/refraction-networking/gotapdance) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://gitlab.torproject.org/cohosh/phantombox) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://gitlab.torproject.org/tpo/core/tor/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://ipapi.co//json/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://jhalderm.com/pub/papers/conjure-ccs19.pdf) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://location.ipfire.org/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://location.ipfire.org/. |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF77513C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://meek.azureedge.net/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://oidc-fips.GetRoleCredentialsAssumeRoleWithSAMLRetryMetricsHeaderRecursionDetectionThrottledE |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADF13000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://outlook.com |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://portal.sso-fips.AddRawResponseToMetadataAWS_LAMBDA_FUNCTION_NAMEFailed |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://portal.sso.unable |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://refraction.network/info) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF77513C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://registration.refraction.network/api |
| Source: tor.exe, 00000002.00000003.1530972887.0000029464291000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://sabotage.net |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://snowflake.torproject.org/. |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://sqs-fips.VisibilityTimeoutusername |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://sts-fips.TransitiveTagKeys&X-Amz-Signature=CloseResponseBodyaws-us-gov-globalusername |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF774AC2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://sts.amazonaws.comRequestThrottledExceptionsqs-fips. |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://support.torproject.org/faq/staying-anonymous/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://support.torproject.org/faq/staying-anonymous/alphabetaThis |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://travis-ci.org/keroserene/snowflake) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://travis-ci.org/keroserene/snowflake.svg?branch=master) |
| Source: ickTGSF56D.exe, 00000000.00000003.1428387365.0000022BADE09000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://word.office.com |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/trace |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.en.html) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://www.torproject.org/ |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF7736C2000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://www.torproject.org/documentation.html |
| Source: ickTGSF56D.exe, 00000000.00000000.1384643129.00007FF775B3C000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://www.vagrantup.com/). |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: powrprof.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: secur32.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: pdh.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: vcruntime140.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: umpdc.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: perfos.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: rasadhlp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: schannel.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: mskeyprotect.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: ntasn1.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: ncrypt.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: ncryptsslp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: msasn1.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: gpapi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Section loaded: cryptnet.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\.tmptkRxsd\tor\tor.exe | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: ifmon.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: mprapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: rasmontr.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: rasapi32.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: rasman.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: mfc42u.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: rasman.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: authfwcfg.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: fwpolicyiomgr.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: firewallapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: fwbase.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: dhcpcmonitor.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: dot3cfg.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: dot3api.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: onex.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: eappcfg.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: ncrypt.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: eappprxy.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: ntasn1.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: fwcfg.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: hnetmon.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: netshell.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: nlaapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: netsetupapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: netiohlp.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: winnsi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: nettrace.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: nshhttp.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: httpapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: nshipsec.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: activeds.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: polstore.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: winipsec.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: adsldpc.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: nshwfp.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: cabinet.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: p2pnetsh.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: p2p.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: rpcnsh.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wcnnetsh.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wlanapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: whhelper.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: winhttp.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wlancfg.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wshelper.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wevtapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wwancfg.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wwapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wcmapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: rmclient.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: mobilenetworking.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: peerdistsh.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: slc.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: sppc.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: gpapi.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: ktmw32.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: mprmsg.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Section loaded: msasn1.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: atl.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: mscoree.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msasn1.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: gpapi.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msisip.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wshext.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: appxsip.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: opcservices.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: secur32.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: framedynos.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: msxml6.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: urlmon.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: vcruntime140.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: vcruntime140_1.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: vbscript.dll | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Section loaded: sxs.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\ickTGSF56D.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\netsh.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wbem\WMIC.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Edit tour
ickTGSF56D.exe (PID: 7296 cmdline: 
conhost.exe (PID: 7440 cmdline: 
powershell.exe (PID: 7640 cmdline: 
WMIC.exe (PID: 7844 cmdline: 
