Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wp.bat

Overview

General Information

Sample name:wp.bat
Analysis ID:1581314
MD5:262d0dc0d3c07f995fda4ee987340fa6
SHA1:6e039fbbc460b2fe4aeac251b48df07e531a263f
SHA256:c4763326f599868a7db6fa708553ba637fbd36323763dc831698538cd404f32b
Tags:batmalwareuser-Joker
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7328 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\wp.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7380 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7396 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7412 cmdline: /C ECHO. [32m((,.,/((((((((((((((((((((/, */ [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7444 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7460 cmdline: /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7480 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7496 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7512 cmdline: /C ECHO. [32m,*/((((((((((((((((((/, [92m.*//((//**, [32m .*((((((* [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7544 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7560 cmdline: /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7576 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7592 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7608 cmdline: /C ECHO. [32m(((((((((((/* [94m****************** [32m/####### [32m.(. (((((( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7644 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7660 cmdline: /C ECHO. [32m((((((. [92m. [94m****************** [97m/@@@@@/ [94m*** [92m/###### [32m /(((((( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7692 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7708 cmdline: /C ECHO. [32m,,. [92m. [94m********************** [97m@@@@@@@@@@( [94m*** [92m,#### [32m ../((((( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7724 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7752 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7792 cmdline: /C ECHO. [32m, , [92m [94m********************** [97m#@@@@@#@@@@ [94m********* [92m## [32m((/ /(((( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7804 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7820 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7836 cmdline: /C ECHO. [32m..(( [92m(########## [94m********* [97m/#@@@@@@@@@/ [94m************* [32m,,..(((( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7868 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7884 cmdline: /C ECHO. [32m.(( [92m(################(/ [94m****** [97m/@@@@@# [94m**************** [32m.. /(( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7900 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7916 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7932 cmdline: /C ECHO. [32m.( [92m(########################(/ [94m************************ [32m..*( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7964 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7980 cmdline: /C ECHO. [32m.( [92m(#############################(/ [94m******************** [32m.,( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7996 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 8012 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 8028 cmdline: /C ECHO. [32m.( [92m(##################################(/ [94m*************** [32m..( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 8044 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 8060 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 8076 cmdline: /C ECHO. [32m.( [92m(######################################( [94m************ [32m..( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 8092 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 8108 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 8124 cmdline: /C ECHO. [32m.( [92m(######(,.***.,(###################(..***(/ [94m********* [32m..( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 8140 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 8156 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 8172 cmdline: /C ECHO. [32m.( [92m(######*(#####((##################((######/( [94m******** [32m..( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 8188 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 5888 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 428 cmdline: /C ECHO. [32m.( [92m(##################(/**********(################( [94m** [32m...( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 1220 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 3512 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 5756 cmdline: /C ECHO. [32m.(( [92m(####################/*******(################### [32m.(((( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 5444 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 1104 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 1668 cmdline: /C ECHO. [32m.(((( [92m(############################################/ [32m /(( [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 5900 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 4460 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 5868 cmdline: /C ECHO. [32m..(((( [92m(#########################################( [32m..(((((. [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 3448 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 4812 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 4500 cmdline: /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 3668 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 2128 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 5936 cmdline: /C ECHO. [32m......(((( [92m(#################################( [32m .(((((((. [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 3128 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 6488 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7252 cmdline: /C ECHO. [32m(((((((((. , [92m(############################( [32m../(((((((((. [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7340 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 6008 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7400 cmdline: /C ECHO. [32m(((((((((/, [92m,####################( [32m/..((((((((((. [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7468 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7452 cmdline: /C ECHO. [32m(((((((((/,. [92m,*//////*,. [32m ./(((((((((((. [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7432 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7524 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7504 cmdline: /C ECHO. [32m(((((((((((((((((((((((((((/ [97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7484 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7480 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7552 cmdline: /C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7620 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7600 cmdline: /C ECHO. [41mAny misuse of this software will not be the responsibility of the author or of any other collaborator. [40;97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7576 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7652 cmdline: /C ECHO. [41mUse it at your own networks and/or with the network owner's permission. [40;97m MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7632 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7320 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 7696 cmdline: /C ECHO. [32m[*] [97m BASIC SYSTEM INFO MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7688 cmdline: C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • forfiles.exe (PID: 7684 cmdline: FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
        • cmd.exe (PID: 5448 cmdline: /C ECHO. [33m[+] [97m WINDOWS OS MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • systeminfo.exe (PID: 5752 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
    • WMIC.exe (PID: 7892 cmdline: wmic qfe get Caption,Description,HotFixID,InstalledOn MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • more.com (PID: 7888 cmdline: more MD5: EDB3046610020EE614B5B81B0439895E)
    • cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • systeminfo.exe (PID: 7904 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
    • cmd.exe (PID: 7976 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • findstr.exe (PID: 7980 cmdline: findstr /i "2000 XP 2003 2008 vista" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • findstr.exe (PID: 8032 cmdline: findstr /i /C:"windows 7" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 8028 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • findstr.exe (PID: 7996 cmdline: findstr /i "2000 XP 2003 2008 vista" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • findstr.exe (PID: 8060 cmdline: findstr /i /C:"windows 7" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 8044 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO."10.0.19045 N/A Build 19045 " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: wp.batVirustotal: Detection: 39%Perma Link
Source: wp.batReversingLabs: Detection: 42%
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevat
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-fu
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-cred
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
Source: wp.batString found in binary or memory: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
Source: wp.batString found in binary or memory: https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
Source: forfiles.exeProcess created: 282
Source: cmd.exeProcess created: 549
Source: classification engineClassification label: mal56.evad.winBAT@3034/2@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\wp.bat" "
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine, CSName, Description, ExecutablePath, ExecutionState, Handle, HandleCount, InstallDate, KernelModeTime, MaximumWorkingSetSize, MinimumWorkingSetSize, Name, OSName, OtherOperationCount, OtherTransferCount, PageFaults, PageFileUsage, ParentProcessId, PeakPageFileUsage, PeakVirtualSize, PeakWorkingSetSize, Priority, PrivatePageCount, ProcessId, QuotaNonPagedPoolUsage, QuotaPagedPoolUsage, QuotaPeakNonPagedPoolUsage, QuotaPeakPagedPoolUsage, ReadOperationCount, ReadTransferCount, SessionId, Status, TerminationDate, ThreadCount, UserModeTime, VirtualSize, WindowsVersion, WorkingSetSize, WriteOperationCount, WriteTransferCount FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\forfiles.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: wp.batVirustotal: Detection: 39%
Source: wp.batReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\wp.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((,.,/((((((((((((((((((((/, */ [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,*/((((((((((((((((((/, [92m.*//((//**, [32m .*((((((* [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((((/* [94m****************** [32m/####### [32m.(. (((((( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((. [92m. [94m****************** [97m/@@@@@/ [94m*** [92m/###### [32m /(((((( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,,. [92m. [94m********************** [97m@@@@@@@@@@( [94m*** [92m,#### [32m ../((((( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m, , [92m [94m********************** [97m#@@@@@#@@@@ [94m********* [92m## [32m((/ /(((( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m..(( [92m(########## [94m********* [97m/#@@@@@@@@@/ [94m************* [32m,,..(((( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(( [92m(################(/ [94m****** [97m/@@@@@# [94m**************** [32m.. /(( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(########################(/ [94m************************ [32m..*( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(#############################(/ [94m******************** [32m.,( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(##################################(/ [94m*************** [32m..( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######################################( [94m************ [32m..( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######(,.***.,(###################(..***(/ [94m********* [32m..( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######*(#####((##################((######/( [94m******** [32m..( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(##################(/**********(################( [94m** [32m...( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(( [92m(####################/*******(################### [32m.(((( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(((( [92m(############################################/ [32m /(( [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m..(((( [92m(#########################################( [32m..(((((. [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m......(((( [92m(#################################( [32m .(((((((. [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((. , [92m(############################( [32m../(((((((((. [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/, [92m,####################( [32m/..((((((((((. [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/,. [92m,*//////*,. [32m ./(((((((((((. [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((((((((((((((((((((/ [97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mAny misuse of this software will not be the responsibility of the author or of any other collaborator. [40;97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mUse it at your own networks and/or with the network owner's permission. [40;97m
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m[*] [97m BASIC SYSTEM INFO
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [33m[+] [97m WINDOWS OS
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic qfe get Caption,Description,HotFixID,InstalledOn
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com more
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "2000 XP 2003 2008 vista"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /C:"windows 7"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "2000 XP 2003 2008 vista"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /C:"windows 7"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((,.,/((((((((((((((((((((/, */ [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic qfe get Caption,Description,HotFixID,InstalledOn Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(#############################(/ [94m******************** [32m.,( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /C:"windows 7" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(##################################(/ [94m*************** [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######(,.***.,(###################(..***(/ [94m********* [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(( [92m(####################/*******(################### [32m.(((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m......(((( [92m(#################################( [32m .(((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/, [92m,####################( [32m/..((((((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m[*] [97m BASIC SYSTEM INFOJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######################################( [94m************ [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/,. [92m,*//////*,. [32m ./(((((((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m[*] [97m BASIC SYSTEM INFOJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/, [92m,####################( [32m/..((((((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(( [92m(################(/ [94m****** [97m/@@@@@# [94m**************** [32m.. /(( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######*(#####((##################((######/( [94m******** [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(##################(/**********(################( [94m** [32m...( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,,. [92m. [94m********************** [97m@@@@@@@@@@( [94m*** [92m,#### [32m ../((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mUse it at your own networks and/or with the network owner's permission. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((. [92m. [94m****************** [97m/@@@@@/ [94m*** [92m/###### [32m /(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [33m[+] [97m WINDOWS OSJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m..(((( [92m(#########################################( [32m..(((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######(,.***.,(###################(..***(/ [94m********* [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\more.comSection loaded: ulib.dll
Source: C:\Windows\System32\more.comSection loaded: fsutilext.dll
Source: C:\Windows\System32\systeminfo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wp.batBinary or memory string: ::(AUTORUNSC.EXE -M -NOBANNER -A * -CT /ACCEPTEULA 2>NUL || WMIC STARTUP GET CAPTION,COMMAND 2>NUL | MORE & ^
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: wp.batBinary or memory string: findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformation
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((,.,/((((((((((((((((((((/, */ [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic qfe get Caption,Description,HotFixID,InstalledOn Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(#############################(/ [94m******************** [32m.,( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /C:"windows 7" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(##################################(/ [94m*************** [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######(,.***.,(###################(..***(/ [94m********* [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(( [92m(####################/*******(################### [32m.(((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m......(((( [92m(#################################( [32m .(((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/, [92m,####################( [32m/..((((((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m[*] [97m BASIC SYSTEM INFOJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######################################( [94m************ [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/,. [92m,*//////*,. [32m ./(((((((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m[*] [97m BASIC SYSTEM INFOJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((/, [92m,####################( [32m/..((((((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(( [92m(################(/ [94m****** [97m/@@@@@# [94m**************** [32m.. /(( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######*(#####((##################((######/( [94m******** [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(##################(/**********(################( [94m** [32m...( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,,. [92m. [94m********************** [97m@@@@@@@@@@( [94m*** [92m,#### [32m ../((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mUse it at your own networks and/or with the network owner's permission. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((. [92m. [94m****************** [97m/@@@@@/ [94m*** [92m/###### [32m /(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [33m[+] [97m WINDOWS OSJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m..(((( [92m(#########################################( [32m..(((((. [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(######(,.***.,(###################(..***(/ [94m********* [32m..( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,*/((((((((((((((((((/, [92m.*//((//**, [32m .*((((((* [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mUse it at your own networks and/or with the network owner's permission. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.( [92m(#############################(/ [94m******************** [32m.,( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m.(((( [92m(############################################/ [32m /(( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((,.,/((((((((((((((((((((/, */ [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m(((((((((((((((((((((((((((/ [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\forfiles.exe FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m[*] [97m BASIC SYSTEM INFOJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /C ECHO. [32m,,. [92m. [94m********************** [97m@@@@@@@@@@( [94m*** [92m,#### [32m ../((((( [97mJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\more.com moreJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts141
Windows Management Instrumentation		1
Scripting		11
Process Injection		12
Virtualization/Sandbox Evasion		OS Credential Dumping231
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		LSASS Memory12
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS33
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581314 Sample: wp.bat Startdate: 27/12/2024 Architecture: WINDOWS Score: 56 49 Multi AV Scanner detection for submitted file 2->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->51 8 cmd.exe 1 2->8         started        process3 process4 10 systeminfo.exe 8->10         started        13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        17 42 other processes 8->17 signatures5 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->53 19 forfiles.exe 1 13->19         started        21 forfiles.exe 1 15->21         started        23 forfiles.exe 1 17->23         started        25 forfiles.exe 1 17->25         started        27 forfiles.exe 1 17->27         started        29 27 other processes 17->29 process6 process7 31 cmd.exe 1 19->31         started        33 cmd.exe 1 21->33         started        35 cmd.exe 1 23->35         started        37 cmd.exe 1 25->37         started        39 cmd.exe 1 27->39         started        41 cmd.exe 1 29->41         started        43 cmd.exe 1 29->43         started        45 cmd.exe 1 29->45         started        47 23 other processes 29->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wp.bat39%VirustotalBrowse
wp.bat42%ReversingLabsScript-BAT.Hacktool.WinPEAS

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-fu0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-cred0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevat0%Avira URL Cloudsafe
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    s-part-0035.t-0009.t-msedge.net
    		13.107.246.63
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credwp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exewp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-fuwp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-wp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processeswp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groupswp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapiwp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijackingwp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#serviceswp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startupwp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsuswp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#softwarewp.batfalse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)wp.batfalse
        		high
        https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vaultwp.batfalse
        • Avira URL Cloud: safe
        		unknown
        https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevatwp.batfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1581314
        Start date and time:2024-12-27 10:40:10 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 49s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:wp.bat
        Detection:MAL
        Classification:mal56.evad.winBAT@3034/2@0/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .bat

        Warnings

        • Exclude process from analysis (whitelisted): WmiPrvSE.exe
        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 40.69.42.241, 20.242.39.171, 4.245.163.56, 13.107.246.63
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.
        • Report size getting too big, too many NtWriteVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        04:41:14API Interceptor1x Sleep call for process: WMIC.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        bg.microsoft.map.fastly.netfinal.exeGet hashmaliciousMeterpreterBrowse
        • 199.232.214.172
        n5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        A4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
        • 199.232.214.172
        vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
        • 199.232.210.172
        54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
        • 199.232.214.172
        C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
        • 199.232.210.172
        P9UXlizXVS.exeGet hashmaliciousAsyncRATBrowse
        • 199.232.214.172
        Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        0Ty.png.exeGet hashmaliciousXmrigBrowse
        • 199.232.214.172
        s-part-0035.t-0009.t-msedge.nethttps://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
        • 13.107.246.63
        RDb082EApV.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.63
        GnHq2ZaBUl.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.63
        EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
        • 13.107.246.63
        onaUtwpiyq.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.63
        CAo57G5Cio.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.63
        wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.63
        qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
        • 13.107.246.63
        ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.63
        60Zxcx88Uv.exeGet hashmaliciousUnknownBrowse
        • 13.107.246.63

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        \Device\ConDrv

        Download File
        Process:C:\Windows\System32\wbem\WMIC.exe
        File Type:ASCII text, with CRLF, CR line terminators
        Category:dropped
        Size (bytes):28
        Entropy (8bit):4.208966082694623
        Encrypted:false
        SSDEEP:3:nLWGWNI3ov:nyGWNOov
        MD5:F2CE4C29DC78D5906090690C345EAF80
        SHA1:D12E3B86380F0DBEF4FBDFFE2CBFE2144FB7E9CD
        SHA-256:0356A869FC7E6495BAC33303B002935C317166D0EA5D403BE162573CF01055D8
        SHA-512:51F939C41710BC3A4E443CDAF33AAE614B043ACC2382A0C836049E34D2F51C8195FD149548752B33E4EDD4299548BB1957B89997FC640C837C9400D76FEA5B74
        Malicious:false
        Preview:No Instance(s) Available....

        \Device\Null

        Download File
        Process:C:\Windows\System32\cmd.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):98
        Entropy (8bit):5.205392150865669
        Encrypted:false
        SSDEEP:3:2f+ty8AAXo2ktNdMcxwDH+cFc:3LAA7cwbzFc
        MD5:918C9F31742198EE4909BAA426289CA3
        SHA1:F9C6D3DB46E16AABEBA227FEBA00675FE30D4F48
        SHA-256:88E57BDFCC9699A9EF0F83D4B2824C8466617F46B802433F2092BF7C47DE7E5C
        SHA-512:8CD4D4059A821C8BD2E62991DA69DC8DA10850D424C191304A71BF2C56303DE9801CA36635A51DC7262C25E6A8E2F3E11B4E4C630EDA386D46E453F84430A572
        Malicious:false
        Preview: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe | findstr /r /c:"[a-Z][ ][a-Z]" ..

        Static File Info

        General

        File type:DOS batch file, ASCII text, with very long lines (1307), with CRLF line terminators
        Entropy (8bit):5.672896184625232
        TrID:
          File name:wp.bat
          File size:36'622 bytes
          MD5:262d0dc0d3c07f995fda4ee987340fa6
          SHA1:6e039fbbc460b2fe4aeac251b48df07e531a263f
          SHA256:c4763326f599868a7db6fa708553ba637fbd36323763dc831698538cd404f32b
          SHA512:0a36ccaa5cb17375a14b49139aeb803924905ac33810f1a24b5009bee036c527b2c658e596641ada4bdebf57285aa31af4f6c7391215588694cdb2f4ed7000d1
          SSDEEP:768:THE4YDBRQ6u54v8VarEk6VcImqQn6CMTM4LvfnCMOqHLhqghCTmrLIhyjTDw1ZoL:7E4YDBRRu54v88rT6VcImqQn6CMTM4Lf
          TLSH:C0F2A58625041C2943F6E7B7AA454F80037311772D17A9CD3ADDA8BD9B2E1EE1B321DB
          File Content Preview:@ECHO OFF & SETLOCAL EnableDelayedExpansion..TITLE WinPEAS - Windows local Privilege Escalation Awesome Script..COLOR 0F..CALL :SetOnce....REM :: WinPEAS - Windows local Privilege Escalation Awesome Script..REM :: Code by carlospolop; Re-Write by ThisLimn

          File Icon

          Icon Hash:9686878b929a9886

          Network Behavior

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Dec 27, 2024 10:41:27.709527016 CET1.1.1.1192.168.2.40xac47No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
          Dec 27, 2024 10:41:27.709527016 CET1.1.1.1192.168.2.40xac47No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
          Dec 27, 2024 10:41:59.918682098 CET1.1.1.1192.168.2.40xc82dNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
          Dec 27, 2024 10:41:59.918682098 CET1.1.1.1192.168.2.40xc82dNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\wp.bat" "
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:1
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:2
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((,.,/((((((((((((((((((((/, */0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:4
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m((,.,/((((((((((((((((((((/, */ [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:6
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,/*,..*(((((((((((((((((((((((((((((((((,0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:7
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m,/*,..*(((((((((((((((((((((((((((((((((, [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:8
          Start time:04:41:07
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:9
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,*/((((((((((((((((((/, 0x1B[92m.*//((//**,0x1B[32m .*((((((*0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:10
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m,*/((((((((((((((((((/, [92m.*//((//**, [32m .*((((((* [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:11
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:12
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((((((((((((* 0x1B[94m*****0x1B[32m,,,/########## 0x1B[32m.(* ,((((((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:13
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m((((((((((((((((* [94m***** [32m,,,/########## [32m.(* ,(((((( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:14
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:15
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((/* 0x1B[94m******************0x1B[32m/####### 0x1B[32m.(. ((((((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:16
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m(((((((((((/* [94m****************** [32m/####### [32m.(. (((((( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:17
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:18
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m((((((.0x1B[92m.0x1B[94m******************0x1B[97m/@@@@@/0x1B[94m***0x1B[92m/######0x1B[32m /((((((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:19
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m((((((. [92m. [94m****************** [97m/@@@@@/ [94m*** [92m/###### [32m /(((((( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:20
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:21
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m,,.0x1B[92m.0x1B[94m**********************0x1B[97m@@@@@@@@@@(0x1B[94m***0x1B[92m,####0x1B[32m ../(((((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:22
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m,,. [92m. [94m********************** [97m@@@@@@@@@@( [94m*** [92m,#### [32m ../((((( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:23
          Start time:04:41:08
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:24
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m, ,0x1B[92m0x1B[94m**********************0x1B[97m#@@@@@#@@@@0x1B[94m*********0x1B[92m##0x1B[32m((/ /((((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:25
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m, , [92m [94m********************** [97m#@@@@@#@@@@ [94m********* [92m## [32m((/ /(((( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:26
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:27
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((0x1B[92m(##########0x1B[94m*********0x1B[97m/#@@@@@@@@@/0x1B[94m*************0x1B[32m,,..((((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:28
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m..(( [92m(########## [94m********* [97m/#@@@@@@@@@/ [94m************* [32m,,..(((( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:29
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:30
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(################(/0x1B[94m******0x1B[97m/@@@@@#0x1B[94m****************0x1B[32m.. /((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:31
          Start time:04:41:09
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.(( [92m(################(/ [94m****** [97m/@@@@@# [94m**************** [32m.. /(( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:32
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:33
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(########################(/0x1B[94m************************0x1B[32m..*(0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:34
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.( [92m(########################(/ [94m************************ [32m..*( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:35
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:36
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(#############################(/0x1B[94m********************0x1B[32m.,(0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:37
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.( [92m(#############################(/ [94m******************** [32m.,( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:38
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:39
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################################(/0x1B[94m***************0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:40
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.( [92m(##################################(/ [94m*************** [32m..( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:41
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:42
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######################################(0x1B[94m************0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:43
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.( [92m(######################################( [94m************ [32m..( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:44
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:45
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######(,.***.,(###################(..***(/0x1B[94m*********0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:46
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.( [92m(######(,.***.,(###################(..***(/ [94m********* [32m..( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:47
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:48
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(######*(#####((##################((######/(0x1B[94m********0x1B[32m..(0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:49
          Start time:04:41:10
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.( [92m(######*(#####((##################((######/( [94m******** [32m..( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:50
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:51
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.(0x1B[92m(##################(/**********(################(0x1B[94m**0x1B[32m...(0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:52
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.( [92m(##################(/**********(################( [94m** [32m...( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:53
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:54
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((0x1B[92m(####################/*******(###################0x1B[32m.((((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:55
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.(( [92m(####################/*******(################### [32m.(((( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:56
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:57
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m.((((0x1B[92m(############################################/0x1B[32m /((0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:58
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m.(((( [92m(############################################/ [32m /(( [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:59
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:60
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m..((((0x1B[92m(#########################################(0x1B[32m..(((((.0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:61
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m..(((( [92m(#########################################( [32m..(((((. [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:62
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:63
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m....((((0x1B[92m(#####################################(0x1B[32m .((((((.0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:64
          Start time:04:41:11
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m....(((( [92m(#####################################( [32m .((((((. [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:65
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:66
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m......((((0x1B[92m(#################################(0x1B[32m .(((((((.0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:67
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m......(((( [92m(#################################( [32m .(((((((. [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:68
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:69
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((. ,0x1B[92m(############################(0x1B[32m../(((((((((.0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:70
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m(((((((((. , [92m(############################( [32m../(((((((((. [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:71
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:72
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/, 0x1B[92m,####################(0x1B[32m/..((((((((((.0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:73
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m(((((((((/, [92m,####################( [32m/..((((((((((. [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:74
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:75
          Start time:04:41:12
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((/,. 0x1B[92m,*//////*,.0x1B[32m ./(((((((((((.0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:76
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m(((((((((/,. [92m,*//////*,. [32m ./(((((((((((. [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:77
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:78
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[32m(((((((((((((((((((((((((((/0x1B[97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:79
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m(((((((((((((((((((((((((((/ [97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:80
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:81
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.0x1B[40;97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:82
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [41mWinPEAS should be used for authorized penetration testing and/or educational purposes only. [40;97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:83
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:84
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.0x1B[40;97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:85
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [41mAny misuse of this software will not be the responsibility of the author or of any other collaborator. [40;97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:86
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:87
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[41mUse it at your own networks and/or with the network owner's permission.0x1B[40;97m"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:88
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [41mUse it at your own networks and/or with the network owner's permission. [40;97m
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:89
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:90
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO.0x1B[32m[*]0x1B[97m BASIC SYSTEM INFO"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:91
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [32m[*] [97m BASIC SYSTEM INFO
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:92
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:93
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\forfiles.exe
          Wow64 process (32bit):false
          Commandline:FORFILES.EXE /P C:\Users\user\Desktop\ /M wp.bat /C "CMD /C ECHO. 0x1B[33m[+]0x1B[97m WINDOWS OS"
          Imagebase:0x7ff7550c0000
          File size:52'224 bytes
          MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:94
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:/C ECHO. [33m[+] [97m WINDOWS OS
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:95
          Start time:04:41:13
          Start date:27/12/2024
          Path:C:\Windows\System32\systeminfo.exe
          Wow64 process (32bit):false
          Commandline:systeminfo
          Imagebase:0x7ff63e960000
          File size:110'080 bytes
          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:97
          Start time:04:41:14
          Start date:27/12/2024
          Path:C:\Windows\System32\wbem\WMIC.exe
          Wow64 process (32bit):false
          Commandline:wmic qfe get Caption,Description,HotFixID,InstalledOn
          Imagebase:0x7ff65e0b0000
          File size:576'000 bytes
          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:98
          Start time:04:41:14
          Start date:27/12/2024
          Path:C:\Windows\System32\more.com
          Wow64 process (32bit):false
          Commandline:more
          Imagebase:0x7ff6ddfb0000
          File size:29'696 bytes
          MD5 hash:EDB3046610020EE614B5B81B0439895E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:99
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c systeminfo
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:100
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\systeminfo.exe
          Wow64 process (32bit):false
          Commandline:systeminfo
          Imagebase:0x7ff63e960000
          File size:110'080 bytes
          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:101
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:102
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\findstr.exe
          Wow64 process (32bit):false
          Commandline:findstr /i "2000 XP 2003 2008 vista"
          Imagebase:0x7ff606930000
          File size:36'352 bytes
          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:103
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO."user-PC " "
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:104
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\findstr.exe
          Wow64 process (32bit):false
          Commandline:findstr /i /C:"windows 7"
          Imagebase:0x7ff606930000
          File size:36'352 bytes
          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:105
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:106
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\findstr.exe
          Wow64 process (32bit):false
          Commandline:findstr /i "2000 XP 2003 2008 vista"
          Imagebase:0x7ff606930000
          File size:36'352 bytes
          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:107
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO."Microsoft Windows 10 Pro " "
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:108
          Start time:04:41:15
          Start date:27/12/2024
          Path:C:\Windows\System32\findstr.exe
          Wow64 process (32bit):false
          Commandline:findstr /i /C:"windows 7"
          Imagebase:0x7ff606930000
          File size:36'352 bytes
          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:109
          Start time:04:41:16
          Start date:27/12/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO."10.0.19045 N/A Build 19045 " "
          Imagebase:0x7ff6d2210000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          Disassembly

          No disassembly