hxxps://tria[.]ge/dashboard

Analysis

max time kernel
305s
max time network
442s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28/04/2024, 09:46

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://tria.ge/dashboard

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1340	晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
158	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587712257840468"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2e462af75099da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f88206f75099da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F4BEA765-0FB8-4184-B2A3-705EE24F69FC} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7197faf65099da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000c5b7919175cb90277f0cdb618ed5152f1dd648c079c0759a5a3d4db9b6129c10adae5f7bbe86740481fac67a54e6680fd514fd2317d3a978307c	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
8092	NOTEPAD.EXE
4060	notepad.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
1284	chrome.exe
1284	chrome.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4284	MicrosoftEdgeCP.exe
4284	MicrosoftEdgeCP.exe
4284	MicrosoftEdgeCP.exe
4284	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	864	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	864	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	864	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4220	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4220	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2016	MicrosoftEdge.exe
Token: SeDebugPrivilege	2016	MicrosoftEdge.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2016	MicrosoftEdge.exe
4284	MicrosoftEdgeCP.exe
864	MicrosoftEdgeCP.exe
4284	MicrosoftEdgeCP.exe
1700	Monoxide x64.exe
1340	晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.exe
1340	晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.exe
2960	OpenWith.exe
5092	OpenWith.exe
3556	OpenWith.exe
1204	OpenWith.exe
3900	OpenWith.exe
1980	OpenWith.exe
304	OpenWith.exe
1752	OpenWith.exe
2112	OpenWith.exe
2896	OpenWith.exe
2564	OpenWith.exe
1604	OpenWith.exe
60	OpenWith.exe
4312	OpenWith.exe
1036	javaw.exe
2360	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 1868	4284	MicrosoftEdgeCP.exe	77
PID 4284 wrote to memory of 1868	4284	MicrosoftEdgeCP.exe	77
PID 4284 wrote to memory of 1868	4284	MicrosoftEdgeCP.exe	77
PID 4284 wrote to memory of 1868	4284	MicrosoftEdgeCP.exe	77
PID 4284 wrote to memory of 1868	4284	MicrosoftEdgeCP.exe	77
PID 4284 wrote to memory of 1868	4284	MicrosoftEdgeCP.exe	77
PID 4284 wrote to memory of 1868	4284	MicrosoftEdgeCP.exe	77
PID 4544 wrote to memory of 4892	4544	chrome.exe	82
PID 4544 wrote to memory of 4892	4544	chrome.exe	82
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3008	4544	chrome.exe	84
PID 4544 wrote to memory of 3384	4544	chrome.exe	85
PID 4544 wrote to memory of 3384	4544	chrome.exe	85
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86
PID 4544 wrote to memory of 432	4544	chrome.exe	86

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://tria.ge/dashboard"
1⤵
PID:4588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe36159758,0x7ffe36159768,0x7ffe36159778
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4104 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4892 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3288 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:1
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3604 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2904 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5500 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1736,i,2516753288312998837,17595654044355710843,131072 /prefetch:8
  2⤵
  PID:4192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1284

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0
1⤵
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:712

C:\Users\Admin\Desktop\Monoxide\Monoxide x64.exe
"C:\Users\Admin\Desktop\Monoxide\Monoxide x64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1700
- C:\Users\Admin\AppData\Local\Temp\晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.exe
  "C:\Users\Admin\AppData\Local\Temp\晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1340
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\gl.txt
    3⤵
    PID:2576
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\hu.txt
    3⤵
    PID:1088
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\tg.txt
    3⤵
    PID:744
- - C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
    "C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe"
    3⤵
    PID:3336
- - C:\Program Files\Java\jdk-1.8\bin\javah.exe
    "C:\Program Files\Java\jdk-1.8\bin\javah.exe"
    3⤵
    PID:1380
- - C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe
    "C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe"
    3⤵
    PID:4656
- - C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe
    "C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1036
- - C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe
    "C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe"
    3⤵
    PID:2416
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe"
    3⤵
    PID:1020
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar"
    3⤵
    PID:664
- - C:\Program Files\Microsoft Office\root\Client\AppVLP.exe
    "C:\Program Files\Microsoft Office\root\Client\AppVLP.exe"
    3⤵
    PID:3184
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt
    3⤵
    PID:3656
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt
    3⤵
    PID:3696
- - C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe
    "C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe"
    3⤵
    PID:3284
- - C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM
    3⤵
    PID:1548
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INF
    3⤵
    PID:672
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF
    3⤵
    PID:3592
- - C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM
    3⤵
    PID:4476
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js"
    3⤵
    PID:864
- - C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    "C:\Program Files\Mozilla Firefox\uninstall\helper.exe"
    3⤵
    PID:3124
- - C:\Windows\System32\PresentationHost.exe
    "C:\Windows\System32\PresentationHost.exe" "C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\CinemagraphDelegate\CinemagraphControl.xaml"
    3⤵
    PID:5508
- - C:\Windows\System32\PresentationHost.exe
    "C:\Windows\System32\PresentationHost.exe" "C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\WebBrowser.xaml"
    3⤵
    PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat" "
    3⤵
    PID:4648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"
      4⤵
      PID:5876
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.ps1"
    3⤵
    PID:6020
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Resource.psd1"
    3⤵
    PID:6060
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css
    3⤵
    PID:6900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js"
    3⤵
    PID:7028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js"
    3⤵
    PID:7052
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js"
    3⤵
    PID:7092
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js"
    3⤵
    PID:7128
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js"
    3⤵
    PID:7152
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js"
    3⤵
    PID:5388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js"
    3⤵
    PID:5572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js"
    3⤵
    PID:5868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js"
    3⤵
    PID:6012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js"
    3⤵
    PID:4560
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js"
    3⤵
    PID:5492
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js"
    3⤵
    PID:3684
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ui-strings.js"
    3⤵
    PID:4452
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js"
    3⤵
    PID:5028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js"
    3⤵
    PID:6136
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\ui-strings.js"
    3⤵
    PID:4100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\ui-strings.js"
    3⤵
    PID:6220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js"
    3⤵
    PID:6240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js"
    3⤵
    PID:6316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js"
    3⤵
    PID:6336
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js"
    3⤵
    PID:6408
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js"
    3⤵
    PID:6484
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js"
    3⤵
    PID:6504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\ui-strings.js"
    3⤵
    PID:6548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js"
    3⤵
    PID:6612
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css
    3⤵
    PID:3344
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js"
    3⤵
    PID:5864
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\ui-strings.js"
    3⤵
    PID:6648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js"
    3⤵
    PID:6668
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js"
    3⤵
    PID:6696
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\ui-strings.js"
    3⤵
    PID:6760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js"
    3⤵
    PID:2528
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js"
    3⤵
    PID:6908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js"
    3⤵
    PID:6972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js"
    3⤵
    PID:7020
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\ui-strings.js"
    3⤵
    PID:6852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\ui-strings.js"
    3⤵
    PID:5720
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js"
    3⤵
    PID:6016
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\ui-strings.js"
    3⤵
    PID:6540
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js"
    3⤵
    PID:5124
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\ui-strings.js"
    3⤵
    PID:4808
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\ui-strings.js"
    3⤵
    PID:6988
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css
    3⤵
    PID:2136
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\ui-strings.js"
    3⤵
    PID:7188
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\ui-strings.js"
    3⤵
    PID:7204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\ui-strings.js"
    3⤵
    PID:7284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\ui-strings.js"
    3⤵
    PID:7344
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ui-strings.js"
    3⤵
    PID:7368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\ui-strings.js"
    3⤵
    PID:7412
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js"
    3⤵
    PID:7488
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css
    3⤵
    PID:7532
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt
    3⤵
    PID:7568
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT
    3⤵
    PID:7588
- - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
    "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"
    3⤵
    PID:7612
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt
    3⤵
    PID:7644
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic
    3⤵
    PID:7668
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73578\javaws.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73578\javaws.exe"
    3⤵
    PID:8052
- - C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
    "C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe"
    3⤵
    PID:8040
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1"
    3⤵
    PID:7852
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.Tests.ps1"
    3⤵
    PID:6036
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotExist.snippets.ps1xml
    3⤵
    PID:7912
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1"
    3⤵
    PID:7772
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Resource.psd1"
    3⤵
    PID:7808
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8092
- - C:\Windows\System32\xpsrchvw.exe
    "C:\Windows\System32\xpsrchvw.exe" "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx"
    3⤵
    PID:7836
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4060
- - C:\Windows\Speech\Common\sapisvr.exe
    "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX
    3⤵
    PID:7428
  - - C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe
      "C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe" UserEnrollment,en-US,HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\RecoProfiles\Tokens\{1C417AFF-2187-4392-BEDC-4B8F8C0F7B41},65552,0,""
      4⤵
      PID:6008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:60

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2572

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4452

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2360

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2572

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C667C358910273D6E62C0A254EF4F4A
  2⤵
  PID:2436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 97B369D2DA4153BB5CDBA6AC9B57F64F E Global\MSI0000
  2⤵
  PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
0ff153eff8861f67daf91b3bec29a771

SHA1
7fd61b7473aec1c58703811a59ea4adadc89714e

SHA256
22f1398bdd7a212147d83599bc83abab9cebf69bfff32302999a2eae5a90fd1a

SHA512
d265b143c5092fa7fc8a952c6a6d83c3a1015a9c16da5d60f71a3081b47025b77e6638f3a05a1487ddd0ddffea474eee1b14d60d14f89d11ba9177674ad17dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e68ae4af7051aa2b091e70a120254cd

SHA1
511c4a8bef3dd850f2d02591d0b9bf2c3bea3ff2

SHA256
8ec29dc6b83067c9df86db58d845ea2847816e65e2c36d92f1ecb8114a9a913b

SHA512
6aeb517259a98330ee58ea435c292b485806c4575e11eb5e5b45aade2d07e07fce5e002851486591fcee79fd067c6c06c2b9294de34d96ce07cfcf28eaca5b5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
448ee93ca3eb4ecb4143595f3ab4e0bc

SHA1
663e96888d91bd7dc87019c84cfa622429bdd7d9

SHA256
5eb8d6a1cc494f1ed67d770e6a050f51510654cb56adb0aef8505d472d9041e1

SHA512
e0ac4d858de6d6c12fb9cfa652bfab8e6476162ed31e12d299dcc6595a7e599339654f42e30f28c9e96a52a9cf26166f91493636c017387ac7e5b39db06ad4c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
c664eeb48e7c9f042f0fd88f2d77ff1b

SHA1
4f3410228fe4d2056a9671cd3d46a24b375ddea3

SHA256
e4c91d56409659f692c4c29cd7d8aa045bbcbe832e153de0263acadb8567f2cf

SHA512
66ae9f1b3eddbf5de90d4b26bdf816ed1f695679452a3a43da8ebec4142c5d3573c5d305b5108e8725828cdbe4f5a45824abea319425018ad6312bf08203bbaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c4748428484a0eadcb030d50e071020b

SHA1
53d4b2e87b28016d8fb660a53c9d5ce8ae233894

SHA256
9abe6f7fdaf770b9681cba36d77ede56fd59b911ec7688607396198a33e6716e

SHA512
236a891fd4871d527361cba023ed351b8697d8706f1dac8ee9eb1217f90ce6523d60d825c699b1d7a988073abfb98e39edf2d69ce29f83b8f270718ae9f9b713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9d8d1a63ff741039af67646c9fe604d6

SHA1
4b831429ab03a8ac3848ab07230c13bbb5b0707c

SHA256
ec4007e72f33385359b3923b4a5e5b966ca3b4be9574a4676e33df2b9930573e

SHA512
30b7b36af03a18c8849ff4d613a286a1d7e13ba05a09d0ab9f3c33894f919ee2e5d76e23a3492f28856ed117acd1e262322872cc998c6f1ec5b7bc1086be82d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
21134a6fe0507b5079cf5807e68196d2

SHA1
41b4f7b28e9de3de74efab13a57504516466ac18

SHA256
e708ad7aeb9484bbc85a7d9a1c586a6ddf10c3c84f42d71b914bb321b7989604

SHA512
277de89e5cd07ea3b54c803b6e8eb9f1e7959348234bec84b6e8f40abb804982858d7f971fa976c317f2bfebf69e6b5b397c2a120c601a40e08f83868aff3fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d7d8710c891691049adb308e634cbf04

SHA1
ffdeecbf22cb6c6f861026ed874a9c0ce371f386

SHA256
0c6c0e7bd3bb040ab78d8cecfed66a880cd66b76fa8822dcb82d0520a821e044

SHA512
1cadd3b0fa0f5bd27a13d148aadb8cf9f4e69d80e5e5382090e27eaa1bda4c1d13804e52c760ce5531300e172b4b6c9d678a3b7ab15a091aede202acd95752ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
cb39d07f63bdca7dd8573d1a81c8ed74

SHA1
61d5d7435d6e12bc77ff615c78dde66a345f1ab0

SHA256
e3acf35ac9c363b0bcb1ebcf62c4df8f08f21bed4a2ee37762f67467eec52242

SHA512
ff6121d461efe18f2e14a6a608b982798d797e7f26b50e5d7b2e7c326fa401deb1a998747878cc22f2aae957a64270510c945b2461ed1d01017af6a66fdf83cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
5da578d3b7126c3cd6638dedf47c2a91

SHA1
ce52f71e83ca85bc6bf9e603af2c31d41ffb49db

SHA256
102b2f017c941adb96bede0962d397e0276ffa466743e9714bcf06571ec785cf

SHA512
e2cfd812397e35240070bf93da0248cc2e6606e7f82654b8ac2eee3d03c2bb0c7beffd4fd633abe744cd17b51e8225c7b985d8847a396baca7ab4469ca70f43f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2cc12870edf01039bd483add5171ae7a

SHA1
265f5b2052d2937d6b166dbfa86a5cf20a8ff173

SHA256
ce3eb54e5e87e2c7fb914aa2f1e423bab621cafd3be81ea0d02457f1945fb8ea

SHA512
f4b38ff8070127d716e3661be354f2183b12ca4d2b8f23aeddf0dac29214f22c5a41794a13b27222e63f4f294a59087837fbad87d6249e8ce115176e4235dd12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
156aa7e4d3e47f117287bacd0f50d7ff

SHA1
6ce1b27cb9c3342329fbaa8d841bfe56a561feb8

SHA256
c5ceb593b3f1de94251ecdbf85a0a6bdd9d7d66a4aff076b3f1fb4303f675204

SHA512
f2c36e1e9053b2ae42047b00a536f33ae1f57f219b98f497bdad185ff94f166244466a9864c7b69aa110f321eba55a3da7361b7fd273a3570e23d3dd67f4446f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
69584417f03bc91cf49312cb6c7b0f4a

SHA1
79049047b1a95a7f6e33b2d015dfb3116b403196

SHA256
42b755d8190e4bd986f67c71679cf3b0a452624d8e770284b126a96ac0810572

SHA512
871bab9449cf2e0e3585f129f5531ce4e6ef05699e31cc9d999306b06eff289ee856693a7c233f969353a672240a857ac7ade45481140e2694e648635f561177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3b156a657500c5a6fea5b8a9363b5e0a

SHA1
b26e486819bfc5d1b9020dc7aeb3387a1b502b8e

SHA256
3383c06ef66360660bdcfa0a17a21b157cde18b1d376dbd4e969c9318cd954b7

SHA512
fb4fa203356a91ca9b04f1353c8df44a029db474cd0d600719bf694b3e86e50c10bc15860ba163ce32037e81164055f2ace1ce9b29ccee643e85807b422b0121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
03c16db1712ab92204f115a26bf15b02

SHA1
7a785566e5809c14fb72e604ec8be8d83bc06df4

SHA256
dd5973af8023335f17054c2f936cc201858ee8877ce7c150e86dd977877467f0

SHA512
2f7409407e7eb30a817f8a5c8b34eef05cfd303061b3c6990af75eeae80042d11e0bc4fd9605e2a2a073d41064e4c7b4b66a4176618c1ab3710506726b0e4ccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
21b10f4fefa468bd26c1503f636471db

SHA1
d827dd0f2c492d71ff29a76411feec782037f17c

SHA256
8fc027cbec10ece7b51ac980794a09bc7df3160226b4074c5e6a649b36e6c55a

SHA512
96b8a5a7776b8cc9d4d5caa95e166ff93aef5196d58cf49d2bf4b54599143195542a2aa780ef0c5f0a56480eb5137964caa0face617bb843323ec182b95f2c8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
25b07a4eba51d577dab2375798a3feb3

SHA1
f38767a0c5c95c35631d97302fea32e7818509d1

SHA256
13128706170b2a8779bb03b5232035c044c2bc16218017790b20a3764435dbfe

SHA512
33c756767de4520ea9e723caabf42d5eadf2075a705c878103aac74f504b2fd475b355b2c7d4e6742f720956c467073b9d952478c77fc4c235f93eaf8eb4c317

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
13e8c269dcd630f8a22a99f11e611eee

SHA1
b2ca60cdd8e37935d1a92db27de7e36e8dd7ddde

SHA256
27398d753b4099ad86130bc59de26805fdf3af37ed77f35fb341c5bd03d60b30

SHA512
e6556568e289f10ff0e32abca12f59337a24f553b6e225f4b26ff0022ef40d1234e6679d3839f925fe61dd215a6d8085473968f1b0ea160cf5a9b01049373944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb26bd0e5fe0c75e227bd3f87c00649a

SHA1
16bae5670ce6309a3238b0a20dd636a539d5177c

SHA256
909a67d8075b7dd54a4417997c8672462c630d8e300cc3c9375725afd06e473d

SHA512
9e44d6c1d4d712de32b3e51a9bfa5446950cd3accc9bc18f8092e32de7d7b91d194df151529d3916df5ccf413d99bff0083c51b6405adcb919c4362604219074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c71067cdf4964fe5f92742dc4f1481a8

SHA1
d22993ad6ed8421831cc92b996d152f6d2dc7a4a

SHA256
895a7944f571e7e9aaa9ed5fb8ad74e9640c62ae6c07eed048776adf56432cff

SHA512
35dc68a3fc9ae12c411317679e3547ac3f85ee31521951ffb1de1e623dba3fc3b3030b7db58da6ca351f701a6a6cf760b60dec17febd090db8cfd6c405887ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b89717b991ffb5dc57105332e0566e17

SHA1
28a638fda61cbadb89f8ef887a3a91e8bbf49d17

SHA256
af05f783ae0b6113eb3b8ccabfc89084b9784026e7fd2a2f4821fe8cea4d837f

SHA512
6c3d40fb1010d46d43ecefcd24d3095380ad3b662c8d8f884a562a47137fde13c9d103a8d49edc82408aa1c73e995025468cda64c2c59b2e283c5d87140586e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7302745f73a4dc58fb42af8a3680161c

SHA1
fb22eec34e25fff83ea0b1ef4b5c1c8fa46fb053

SHA256
6f105d4a9ad1225e1ce106675355b7f1970c9f21def77d483c08890c63452f5e

SHA512
4dcdad9cd0c853007dcaf978912d08183d5dd6a8761c5b9fc35797ba918d1402d823504908db286c3c989b7366f3132822f3863738d0f9dd3e9c3b66a3c5d219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
cf6213095806638927a9ab571953c83b

SHA1
473be7729042b2631dc2efd9582c7828d38ab3bf

SHA256
884bba27dd8ae120268e222af6fc1b88b40ebec6a5b21f6df84b289e93a2c7e4

SHA512
3ad3285f0b909c7545c485b87fd474e8063b9631c4db79e4ea53ff5975c586b3db730721e0da39a38bdce17b619dd27260fcb19b97d9765d0193eb8ff3ba7824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1427555c-f8f5-495b-b972-390819b74949\index-dir\temp-index

Filesize
624B

MD5
d44d865f08bf629dcc43a15c8ad1f88e

SHA1
3455c4a68436d9d42abe377c0e287b4667df1746

SHA256
dd6b420be61a49ee3eebea6825cd1b5dad08f457441b8dab465878f3f39ab574

SHA512
786c90a903af549406e812c046a7faaaff779740a435ee800e7f98ebf1d65d6e6c9099779ad1e897a6955571d9c460368fed2a32f9f35c0967ea84db04fcc9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1427555c-f8f5-495b-b972-390819b74949\index-dir\the-real-index~RFe59a84c.TMP

Filesize
48B

MD5
6a1ae3cf8d080f9cc35717b2d6739665

SHA1
01bcec4c54dd8db7e244a48a160b23f5d4802b1f

SHA256
98abfa999c17e18503a34b8a67635f7ebd9e1f348d10bb48a1739ce37aabed90

SHA512
2d81ae864b18ed94d8f2f66077c3b697db781767efcd2bfae49fa0fc8ccc23db82cd852f013dc1368862b7932ced0c7e109958246342ad4dea7566f11a963b33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\29b08c61-cbb1-44f0-aa30-0dbc294079c3\index-dir\the-real-index

Filesize
2KB

MD5
5f41c0c262e8d4a1da1377421d932e0a

SHA1
47c20717a94e59e1986dc560adf94a485176d779

SHA256
20083b9f4707c6a74efe765ea9371c42b5c5ea7e4b837c3aae77255785a04581

SHA512
3147925693924db01a6ed63e55da3ed3e115207cd1cd3bd0663488948971df0c5616031ceb7242a9967d2343c5ae2235235cbedcb336a20be70bf1acb877d1d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\29b08c61-cbb1-44f0-aa30-0dbc294079c3\index-dir\the-real-index

Filesize
2KB

MD5
58b6e577891b738c3f437a150dd9085f

SHA1
a463d1982d418e65b2518d21b17f7e23d00ec552

SHA256
faa91dd7b5aba14265dffae33e48509935d07879131703cce23044a52fccb154

SHA512
4d2e3921d4c5266e8a448d6db8ecf89b45040d895e9bed3b165db717148d5100f1dbce76ad04a3edbd94f480c9beb17452ec2e67284557709e4a54b7875cc29b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\29b08c61-cbb1-44f0-aa30-0dbc294079c3\index-dir\the-real-index~RFe59b22f.TMP

Filesize
48B

MD5
125819fb560208064b1ce245a555896e

SHA1
3fb25cf4316606b1d8ffcdd35fcc71771055c7c3

SHA256
f57436963e170aaa8d16ab6f4a0d162bc0c7b0d64bd974c210858d7684ad47d5

SHA512
9c1c5aa0444ea5fe0039697532215dec9a10c8371652e03604c1408c79d96c7c90cbb002bcd513e1afb963dcbf805f96b8ea0cb7a91250c4daf15b202e86d835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
ae72d6771e51c8db8e29b18bc84cf027

SHA1
c8f21cb1cbd5d5b7825fec192e9bc831fd3fa9e9

SHA256
680dd0ab8a6ff49e08dc57415ed6d5dbc726ee181c55c085d6d5fe036f5eebfa

SHA512
7f4648d39a570bc35f118abbfb167a976c932f3c68b22b09e2bce49203485667dbe24f26f28fdb8e3ce7481cbd4ddd2e04f2fcc326f701b8ffa09e525f9f29ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
185B

MD5
c19f2a31af5f48ffb91bea5ab756ffe5

SHA1
9e71126d5131f07c27147229c8b2bb129bb780f9

SHA256
056c21427e95e8666ddc263b93406483aeebcc43ac0e34aaf5e0e3d2868ba751

SHA512
991c8e1c45cdf63591fdf5ad939e13db13d79fb9f53d8857785d7971d2126b4b8f012150d01096b550c73236e570afc6cf173e1c8c3294814f58fb4bfbe6ae0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
fef4729668e602a8ef828de03ea22609

SHA1
e45c69d812cef2b4f576e4872de038c7eddf2e2b

SHA256
e0cfdc86bf8dfef97980d9b4a74226b342e8cf190b95f34c15872f2ef73a7182

SHA512
0b90bb7402367e17ba5a789dc18daab848dce95dded8b736fb3ca0630cb911b56594e29804261871f72144e57ab9ecadb7f5a32ac8c73762a6859415aba03cbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
56cd93906eba31235d47aa20e1fdb7f8

SHA1
b211a3af0982eac9677d422cb7a6184b44de16fc

SHA256
257d3c2c2ab7e6b1963cc71a9ee77174fdf7c8ef9ddbe026edaeb52c905d7558

SHA512
9b18e716c1d52c1af6f8234cb3a50dc89fc1db6c0236f580961d342f72f38155d4feb43fceefcf99de75af1310934507e285241c32aa66ef49ee2c99d04a6a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
60d87a0b0173f8d52094724d506d60d0

SHA1
ac41b21ea7574056506cdf1d665cbc53ee91cf82

SHA256
d5e1e2f7feacabb18c4b613a59f419885878304b2d9ab4f1ce3bfb8b33acab36

SHA512
2adc77810636745971145646fd2c88c698f6ba7f04b4f07e1485e95b865c7fcbd3e31b95285e3645f7abb191b14da02574dbfeebe02f66aeb2ae0b1cb56fa7a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe594982.TMP

Filesize
119B

MD5
e2ef0e4bd446e3b1818a77de5ba7b7cb

SHA1
b939f86c1998658b39f6179370123d9b07219269

SHA256
6d5c1060be9aafc669fef5e289d3508c8db7de2114c8cbecac2ab3ccb721d3c9

SHA512
581cc9ae032ee6004b2d97f8b3c7be33d23e69d715dfbd62ad6c8468513c2509801f97b1dddf25db61f04d071d86f17b82469a83cc3efa6678ccb8eec06b4b9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
17KB

MD5
5397103157815d2cef4b26e0a8e7c8e4

SHA1
a3d2d6d8d88fdf11c213b80e9612a39618932cf4

SHA256
8cb5024b9fd772a791b9a19a8b5473f220eb51003a12eedd06c698209fedf137

SHA512
468dd51a1e33f0d360ae330ecb8a76970f137cb567111450d6e13f929d92d665d8d1f8501cf9672a8ea6b9e240d7a350e076df83adf81813846d2ff083d3245e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
161KB

MD5
79e1a41b94039b130a9df602638d9913

SHA1
0183d0e60631b8cf9b5738c6bed34a538dac7b28

SHA256
45e5674ed2ed5b0129bc7916e83892f439f98a985098ccd2cf03d2830efd756d

SHA512
07f262a93fa0a48eaa6639bcb619a837201981a9c8fb18b0ad4ae6a29e936b0db589894d5924cffefbf5c00628cd88d630d1949ff7b43855c1185a13b54a8837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
0a0d01a2934dbbdb9135c5550376d22f

SHA1
09d6f96546d3739359397306f5a0e670a017490e

SHA256
4524199d2f3bc17455b2f29d4c1677ba4ae3fa68fa1e9eb038b762b251c5197a

SHA512
babc8996a99480941c091a08e49eefd8d6198c020ca5c797bc3baece667705a57d215d2741e09416615036fa30e021e695ce849c8ff3634afcdaa4e6e6cafca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe599adf.TMP

Filesize
48B

MD5
d922376fa7221ef9f5be744c717ebcd9

SHA1
1991b4d9a8810c87496bab2ce4e5b1b3362cc6d6

SHA256
c40b7ec1939f36242b18646b896bb757a2ce8926a137f945503f829f35628a8c

SHA512
555422b4ea177ed07b23709aa6519103f877dc15114179c0c30d454b1f388e289777b7ed5ccf9dc9045a219726b9b458bf767f27f937e7f04f23f787f09031d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4544_1635941007\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
20f44fbb6eaa2ac4e4d62d97fc10c02c

SHA1
a27d2ad70c9580c2f279683695e5a638ee4b9b56

SHA256
25b7fe3dde78ae56cc2586b31552066bcf1d5c31a4285466f0a2cc8deb93b3f8

SHA512
76957650e61b1b9d7cf32c1602114a9028c60acc1834f11b1c90439d0d35e87a26f9b2f28f87e85f00f847186fa84200cc7809563c5574c4729cf23c9081ca21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
4b27e940adfc987a37eb4c8c7966ebe6

SHA1
d74e7c3d30a59da43547cd073224e2c3deb8f56d

SHA256
fa114a764c2c81f06f3752d7fa977ae564a2adbff933deeef3d1dc54dd178f55

SHA512
a8583c6d95f4dab2f90bbda3330fd531cf3b1e3f482c9264128554951072f312853954be65a865f3014589ca5792ba02d1430966d5b538bd2421082aa8ea92a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
4679a03be180b0ddfd2930eedcef4513

SHA1
710683ff1cc3afdf56285e132ade9e2003640846

SHA256
ea097f79816a810cf24bab028ceb457d24cedb2f8b7b2f8690615b82800bfd1a

SHA512
9f651b4a1cad3cfae81572345bae2f6d4442f2f50e839f2ee4a87885315ce074d946911684cdd4a235887013a3e1537c54c7f1d6500843f8fa9a714fdbfb779d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
f97325cd3ddc0afccb2d64cc898ee94f

SHA1
38cabd0654d222f47d68b1fb1fba2e79b686e498

SHA256
243f7d2026d3f346e96e2d9eabe562c7e36d3a2955d32bc7c3d6c15c59fda16a

SHA512
1d4a6943ac801c08f551e69c415712d59b69163276cc04c1422c6f07121ca9ebcbaf28525278723adf3d929ebc1cec43193b8be16829baaa7968d0aca1aa993d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
9bbb411e340947f27551122a398096d1

SHA1
02fb8fdfa134443d74b9886e2f57f119f0569c4d

SHA256
ff05e8041f710ec1743205203ceca50c0fbc5be0c0660698ecbc749cce22bfaf

SHA512
b55ec57fd95c9f35d3c210a02613c77c8d525ee88232cdba9cbdc3d10bbc939cfaa1f58042429d898d9b591777897657a94f8c5e057496469d11281dd05f85f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58aa16.TMP

Filesize
92KB

MD5
27b94fd6da62a3338a889908c73cc6c5

SHA1
b5df314f13231996f6e2e5bf52fd74562983c0c4

SHA256
32e92014e6f881a0aae5ac63c1e4fd3c1638151f50b23700865bff13fb768e2d

SHA512
136882ebaf203917336fa9656aae8760d38510abf15957c7c46858b4210b2dcb98d7787ce7b034e23ea3f11805378b1122b0240973656dcf599fc6a2ef60d570

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LICIZUQP\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\71NTS5YI\landing[1].css

Filesize
4KB

MD5
5ffa0a2a5b138f8e22bd5ae91861bcc1

SHA1
cfa4db129142fa90c83c6cc857a3a5c0ed5b338f

SHA256
93316c48c05fd81fc6f6809dcaf94e15b6290dfcd95db4b35e189968ada940d0

SHA512
6ec8418c18428fd9e91a3d5887d5f73b2a67e5d00c467004f104c5808d0ad83eab3c8648c246d97ed2663515109cd3fc3766e7ebbdfee1b95af03d73cd0a928a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\PX5T23RZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XM2HW706\favicon_triage[1].ico

Filesize
14KB

MD5
5fc2a75feebbdb454d523f27c453cde5

SHA1
1eb266f08c38483a79926d71c0941aa59fa75ee0

SHA256
2235d2487405bdb645954c9b6f28b770265f70d3f634783f63ef6e3159e2226e

SHA512
7d5100ce648fd61a2a63b355c3d1a8189c3e54eedca11417690a7cc1f24d64807a38502e3af8f198ee66edb0bb79b4381265d8b6e5874b4cfc1955e3a2045944

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF34324F1173E52D79.TMP

Filesize
16KB

MD5
8ce079cabebb63de89bb3b4f2e1791f2

SHA1
a3ecba8876ab40213dd0c2f70092f55bc56ecfd6

SHA256
43dc041011c24d5737404b3245f59b565711a1b8959f5ce0e45b6a537d826a63

SHA512
333f8db746aa3a2c1e02b1553ad5c8563a4e1f2b398f6aea50c82fe59d1fcc6d0bf4af3c9e61b8c33076cc3908d05284d75cb457af207e7b484888e3e0842e03

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
4f1f13409d9378685074394086a3a8fa

SHA1
bf2976b43954a47c46093e0ead19d93628e04a9a

SHA256
1a8092ece5a37f75917726c9490b9e491749d58dc580e7ff62d2d418289d2be3

SHA512
30b7b1b0f0308a826c4a3e0b54cbe6dc63cf975a8c11fa3f8740beafcc88e0a92d71f5607a679e965a44bf7574b1298d88308a05cbd57dfe095aef76d86d5ccf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
8e0f69b5dabc3a6a082e146f64efd636

SHA1
df3b5fa954689cea23c054d877160f92481b7ff7

SHA256
a7868ced6e72c2ad5723de993babbede0425ddc75868c82cd3d6319b930ccf2f

SHA512
c4347d7ac8415d0bb927373162235f20c510842d5e5b19bc36e99db7e53caf685ba4fde37664782dc418a489f1afcc8bbbc09b22d819aefa8efc0ab67e39e5d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
3203fb42bbb40fe791bcfe1b421bb595

SHA1
7d027229414788cabdfbf2c4c9539e2c825e3a2f

SHA256
8053d0b99af4c34802803448df4a27649e5ef7dd36dbdbcbfedc994702d9c89e

SHA512
6a680f8aed5715b1df25059d9f8c2e2b42e5f7dbac36a6034ff2e0f128d6df701d8cd9674e67b24f028ab5901191efdde8db46936527693355761f7f1e82fc2c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
92425aef3ed4b0f3a2e475d0c2962de5

SHA1
425fecfb61c35c02e55baec7f9753674c087026b

SHA256
df2e21c913b9c0fed04640a3207c820b556ca1210f52d80f13c6171ec2309c01

SHA512
bf94b29a2f2c829d98a1b18ed0e5672106ab3ce2f2daf37094b3d979374e9c644e6b318d0499aa3e1059826943f42c44b3569718601384238e25e43499fc1249

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\swrzgpp\imagestore.dat

Filesize
15KB

MD5
57d65f4165d8b120bb463a5373a27e70

SHA1
ee2fbef056698aef1128cc59768a1d2308f37176

SHA256
385b686868faf8ce3a3c67f4be72b6ade975499b8ab95aad62c42c0df93ea53d

SHA512
3865318c23f5257b60ab20d8e26b571d3e6a7a59e1967c4ca2108e849363c6f2b0db5eaa61b2e27de9f7621a2df2f44a09e142b45e14c436c532ead084308916

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{F4BEA765-0FB8-4184-B2A3-705EE24F69FC}.dat

Filesize
4KB

MD5
6fefc3fc5f03beab5a8296504a22b397

SHA1
1248b71de0d270e2f45881a56ce2d3c7afd7bfa7

SHA256
d82f3d409fe98b195aa7d23646976696819774ef14eb6d57da2ff292350b95ee

SHA512
548a5702aedfcde5cd5f68d19580a78f7597aca642c0a39e5df5b38ca760eacccefb8764a03acbbea38bc7c4e2a5091bcdcc00529b010be114675a7df5c6953d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{2120463D-BD33-42EB-BA68-D24254B81178}.dat

Filesize
7KB

MD5
85a3f4ace552c0ee00ba99cc907b1b34

SHA1
c57a50d7236fc22f421dc68279d2a84c9f3a03c6

SHA256
317cebf2324eb1afa7a6e29eb1834e7ea20e934eaa2e055ed9e131f227ea938e

SHA512
fdea971e3c0ad13696aaddd76ad7b1f87f6911f51ab854627b9c2d327f9397e03653dd7c58e26dae8ea5c19fb870b6172bbcd80285294f82f1f344ebec67d49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qedkgnar.azi.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3198.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.exe

Filesize
330KB

MD5
692361071bbbb3e9243d09dc190fedea

SHA1
04894c41500859ea3617b0780f1cc2ba82a40daf

SHA256
ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe

SHA512
cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\晜兑薳橋覊癕僔薃盌鑰俬俵碮衽欝彌.txt

Filesize
260B

MD5
4ddec6f4353b5de6b84cf740085b79e1

SHA1
08b0b6edc9c41fbbe193cdfe8fbdd9e7ac7b1423

SHA256
6e71cb50c87e20ea8d7dbb7c5126bfe3792b985435af2283c23548e61a04c664

SHA512
775f40992226848312abc02766c1875804e03c88f9a5403217d91f1af7fbabda40bbbe48313634e8c200f74e63d086748dfeb92bb0a507ee63afb8228b20d261

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat

Filesize
8KB

MD5
2d188b9428dbe42072c88f296a4427ef

SHA1
9d928581d9775b8a24e7604360e684911b3fd3eb

SHA256
fda5e2b5c8349d589af90be4e69780074a33251f9bc304f92dc0a7c09a0ba8a8

SHA512
b0f67e5e88f6a048e4ff536590a675bec7a8d0c6d4edc7c03539463357d3eeb20cc2bdd510f45d79a52708da24d4ee032edf48527459a8e0694fa71add5566ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_EF030144D1A24C8DA4BB819A76D1C611.dat

Filesize
940B

MD5
f22bcd095744dcd1b14077cc0c2cb396

SHA1
3fe23a437cec902a61c29b34755fd3a1e2df4a08

SHA256
2671c8b256d29f6c36ab1ac6e0aa51569a0891dd62d71446afb8f83c84e75c68

SHA512
3fdc63a1276b8a552328a847acffcbbad3537d36bef7b812ee8fd320ce9a72d72a53d0f853d58eecf4d3f413ce1b26f3e425c927bd7c999daf4b082f4c2201ff

Download Submit
C:\Windows\Installer\MSI4058.tmp

Filesize
418KB

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Windows\Installer\MSI427F.tmp

Filesize
209KB

MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\Installer\MSI4EFC.tmp

Filesize
271KB

MD5
f88c6a79abbb5680ae8628fbc7a6915c

SHA1
6e1eb7906cdae149c6472f394fa8fe8dc274a556

SHA256
5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

SHA512
33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

Download Submit
\Windows\Installer\MSI3EE0.tmp

Filesize
57KB

MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
\Windows\Installer\MSI4164.tmp

Filesize
148KB

MD5
be0b6bea2e4e12bf5d966c6f74fa79b5

SHA1
8468ec23f0a30065eee6913bf8eba62dd79651ec

SHA256
6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

SHA512
dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

Download Submit
memory/864-43-0x000002E415FC0000-0x000002E4160C0000-memory.dmp

Filesize
1024KB

Download
memory/864-42-0x000002E415FC0000-0x000002E4160C0000-memory.dmp

Filesize
1024KB

Download
memory/1868-67-0x0000026BD22F0000-0x0000026BD22F2000-memory.dmp

Filesize
8KB

Download
memory/1868-110-0x0000026BE35E0000-0x0000026BE35E2000-memory.dmp

Filesize
8KB

Download
memory/1868-108-0x0000026BE33E0000-0x0000026BE33E2000-memory.dmp

Filesize
8KB

Download
memory/1868-106-0x0000026BE33B0000-0x0000026BE33B2000-memory.dmp

Filesize
8KB

Download
memory/1868-112-0x0000026BE37D0000-0x0000026BE37D2000-memory.dmp

Filesize
8KB

Download
memory/1868-61-0x0000026BD2500000-0x0000026BD2600000-memory.dmp

Filesize
1024KB

Download
memory/1868-62-0x0000026BD1EF0000-0x0000026BD1EF2000-memory.dmp

Filesize
8KB

Download
memory/1868-65-0x0000026BD2230000-0x0000026BD2232000-memory.dmp

Filesize
8KB

Download
memory/2016-35-0x000001CB5F6C0000-0x000001CB5F6C2000-memory.dmp

Filesize
8KB

Download
memory/2016-0-0x000001CB60420000-0x000001CB60430000-memory.dmp

Filesize
64KB

Download
memory/2016-16-0x000001CB60520000-0x000001CB60530000-memory.dmp

Filesize
64KB

Download
memory/2016-125-0x000001CB669F0000-0x000001CB669F1000-memory.dmp

Filesize
4KB

Download
memory/2016-124-0x000001CB669E0000-0x000001CB669E1000-memory.dmp

Filesize
4KB

Download
memory/2016-163-0x000001CB647E0000-0x000001CB647E2000-memory.dmp

Filesize
8KB

Download
memory/2016-166-0x000001CB5F6F0000-0x000001CB5F6F1000-memory.dmp

Filesize
4KB

Download
memory/2016-170-0x000001CB5F6B0000-0x000001CB5F6B1000-memory.dmp

Filesize
4KB

Download
memory/5876-1218-0x00000142CC380000-0x00000142CC3F6000-memory.dmp

Filesize
472KB

Download
memory/5876-1215-0x00000142CC1D0000-0x00000142CC1F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads