stormkitty | fed171984a55cc4e3a005fe373e2c28f62d81324674bbeeaba1f95db97a2c8e9

Analysis

max time kernel
191s
max time network
319s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 22:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

41KB
MD5

5c62d9be667e8d03c0ef82fb4b74c965
SHA1

25836658f7421e5c7ad842e8a01bfaeeee1ced33
SHA256

fed171984a55cc4e3a005fe373e2c28f62d81324674bbeeaba1f95db97a2c8e9
SHA512

a25ddef859675a66a6452421bec9a8593dc77bfa06ac0c704fe1907ecdc903458c4f2383a29d3e3d56158a22248c3d34fe92d20ee346f42e6949cfc9d4120553
SSDEEP

768:w0mrJDweBDuOkScrbsN/x6WECAr43MxfJF5Pa9p+e6iOwha3/ibR:n0DwewicrbsN/YDRrNRF49Ie6iOw0a1

Score

10^/10

stormkitty xworm bootkit defense_evasion discovery evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

category-rose.gl.at.ply.gg:36607

Mutex

MRlIn8FGfPEd7YaA

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/4132-468-0x00000000011F0000-0x00000000011FE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4132-1-0x0000000000930000-0x0000000000940000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Falcon	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4132-1978-0x000000001CBD0000-0x000000001CCF0000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

5276 powershell.exe
4724 powershell.exe
1220 powershell.exe
4620 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

6264 netsh.exe

pid	process
6264	netsh.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Falcon.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Falcon.lnk	XClient.exe

Executes dropped EXE 6 IoCs

Processes:

FalconFalconXClient.exeFalconMonoxidex64.exe麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

pid process

2736 Falcon
4804 Falcon
5268 XClient.exe
2296 Falcon
2296 Monoxidex64.exe
2972 麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

pid	process
2736	Falcon
4804	Falcon
5268	XClient.exe
2296	Falcon
2296	Monoxidex64.exe
2972	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\Falcon = "C:\\Users\\Admin\\AppData\\Roaming\\Falcon"	XClient.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XClient.exe

description	ioc	process
File opened (read-only)	\??\H:	XClient.exe
File opened (read-only)	\??\M:	XClient.exe
File opened (read-only)	\??\N:	XClient.exe
File opened (read-only)	\??\W:	XClient.exe
File opened (read-only)	\??\X:	XClient.exe
File opened (read-only)	\??\Z:	XClient.exe
File opened (read-only)	\??\B:	XClient.exe
File opened (read-only)	\??\E:	XClient.exe
File opened (read-only)	\??\I:	XClient.exe
File opened (read-only)	\??\O:	XClient.exe
File opened (read-only)	\??\U:	XClient.exe
File opened (read-only)	\??\J:	XClient.exe
File opened (read-only)	\??\K:	XClient.exe
File opened (read-only)	\??\P:	XClient.exe
File opened (read-only)	\??\R:	XClient.exe
File opened (read-only)	\??\Y:	XClient.exe
File opened (read-only)	\??\A:	XClient.exe
File opened (read-only)	\??\G:	XClient.exe
File opened (read-only)	\??\L:	XClient.exe
File opened (read-only)	\??\Q:	XClient.exe
File opened (read-only)	\??\S:	XClient.exe
File opened (read-only)	\??\T:	XClient.exe
File opened (read-only)	\??\V:	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

description ioc process

File opened for modification \??\PhysicalDrive0 麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

flow	ioc
6	raw.githubusercontent.com

flow	ioc
1	ip-api.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

firefox.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Monoxidex64.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
discovery

System Time Discovery
T1124

Processes:

rundll32.exe

pid process

7624 rundll32.exe

pid	process
7624	rundll32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

Processes:

firefox.exemsedge.exeXClient.exe麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{6B79DF96-31D7-45A3-9778-C27FA9C04BDD}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	XClient.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

NTFS ADS 5 IoCs

Processes:

msedge.exeMonoxidex64.exefirefox.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Monoxidex64.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe\:SmartScreen:$DATA	Monoxidex64.exe
File created	C:\Users\Admin\AppData\Local\Temp\麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe\:Zone.Identifier:$DATA	Monoxidex64.exe
File created	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 106011.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5064 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1960 vlc.exe

pid	process
5064	schtasks.exe

pid	process
1960	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid	process
5276	powershell.exe
5276	powershell.exe
5276	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
1220	powershell.exe
1220	powershell.exe
1220	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe
4132	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

XClient.exevlc.exe

pid process

4132 XClient.exe
1960 vlc.exe

pid	process
4132	XClient.exe
1960	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

XClient.exefirefox.exepowershell.exepowershell.exepowershell.exepowershell.exeFalconFalconXClient.exeFalconAUDIODG.EXE麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exevlc.exe

description	pid	process
Token: SeDebugPrivilege	4132	XClient.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	5276	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4132	XClient.exe
Token: SeDebugPrivilege	2736	Falcon
Token: SeDebugPrivilege	4804	Falcon
Token: SeDebugPrivilege	5268	XClient.exe
Token: SeShutdownPrivilege	4132	XClient.exe
Token: SeCreatePagefilePrivilege	4132	XClient.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	2296	Falcon
Token: 33	1132	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1132	AUDIODG.EXE
Token: SeDebugPrivilege	2972	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe
Token: 33	1960	vlc.exe
Token: SeIncBasePriorityPrivilege	1960	vlc.exe
Token: SeTakeOwnershipPrivilege	2972	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe
Token: SeTakeOwnershipPrivilege	2972	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exemsedge.exevlc.exe

pid	process
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

msedge.exevlc.exe

pid	process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

firefox.exeXClient.exeMonoxidex64.exe麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exevlc.exe

pid	process
4444	firefox.exe
4132	XClient.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
2296	Monoxidex64.exe
2972	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe
2972	麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe
1960	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 5064 wrote to memory of 4444	5064	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 2892	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe
PID 4444 wrote to memory of 240	4444	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Falcon'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Falcon'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Falcon" /tr "C:\Users\Admin\AppData\Roaming\Falcon"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5064
- C:\Users\Admin\Downloads\XClient.exe
  C:\Users\Admin\Downloads\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5268
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\mwarvn.mov"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1960
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:6264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
  2⤵
  PID:9396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff848453cb8,0x7ff848453cc8,0x7ff848453cd8
    3⤵
    PID:9408
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  PID:8664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1820 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50a32b32-a263-474c-b368-a3b8ece707e3} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" gpu
    3⤵
    PID:2892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20240401114208 -prefsHandle 2316 -prefMapHandle 2312 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9310ea95-09d3-467c-b8db-3e06ca4cf89a} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" socket
    3⤵
    PID:240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 800 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4793a5e-2cfd-43d3-bb59-4bbc54601169} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2844 -childID 2 -isForBrowser -prefsHandle 3140 -prefMapHandle 3120 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 800 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bba19bb-3675-4ea2-a014-cca25a5ea328} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab
    3⤵
    PID:1448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4696 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be244750-aaec-4eb1-9d13-b0140818aee7} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" utility
    3⤵
    - Checks processor information in registry
    PID:504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5260 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 800 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cd9a32a-e2c3-47da-9062-f58629aeb312} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab
    3⤵
    PID:5804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2552 -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 800 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af8a79a-dd3d-4dd3-9471-59d6cb54952b} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab
    3⤵
    PID:5832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5248 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 800 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {690e4991-9074-45c0-8774-b2c68be7cb58} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab
    3⤵
    PID:5844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -childID 6 -isForBrowser -prefsHandle 5516 -prefMapHandle 5876 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 800 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bf92e65-ad43-4ee7-a1dd-dcc1130d1d30} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab
    3⤵
    PID:3328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 7 -isForBrowser -prefsHandle 6784 -prefMapHandle 6632 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 800 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1c6e689-c251-4011-a25c-b70124f625eb} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab
    3⤵
    PID:1212

C:\Users\Admin\AppData\Roaming\Falcon
C:\Users\Admin\AppData\Roaming\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff848453cb8,0x7ff848453cc8,0x7ff848453cd8
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:6252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=qrcode_generator.mojom.QRCodeGeneratorService --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:6304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:6540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:1
  2⤵
  PID:6548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=7576 /prefetch:8
  2⤵
  PID:6936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=7544 /prefetch:6
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  PID:6740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:7644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:7568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
  2⤵
  PID:6856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:6992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14462000178625262636,17965508335424566390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:9472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Users\Admin\AppData\Roaming\Falcon
C:\Users\Admin\AppData\Roaming\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Users\Admin\AppData\Roaming\Falcon
C:\Users\Admin\AppData\Roaming\Falcon
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Users\Admin\Downloads\Monoxidex64.exe
"C:\Users\Admin\Downloads\Monoxidex64.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2296
- C:\Users\Admin\AppData\Local\Temp\麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe
  "C:\Users\Admin\AppData\Local\Temp\麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2972
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\hu.txt
    3⤵
    PID:6496
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\ne.txt
    3⤵
    PID:6520
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\sr-spc.txt
    3⤵
    PID:6556
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"
    3⤵
    PID:6320
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x2ac,0x2b0,0x288,0x2b4,0x7ff732a24698,0x7ff732a246a4,0x7ff732a246b0
      4⤵
      PID:6308
- - C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe
    "C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe"
    3⤵
    PID:7008
- - C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM
    3⤵
    PID:7012
- - C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE
    "C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE"
    3⤵
    PID:1532
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js"
    3⤵
    PID:5968
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE"
    3⤵
    PID:6444
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe"
    3⤵
    PID:5824
- - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
    "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
    3⤵
    PID:6756
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\AUTHORS.txt
    3⤵
    PID:1420
- - C:\Program Files\Windows Mail\wabmig.exe
    "C:\Program Files\Windows Mail\wabmig.exe"
    3⤵
    PID:7348
- - C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe
    "C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe"
    3⤵
    PID:4340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.js"
    3⤵
    PID:2792
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCAT C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat
    3⤵
    - System Time Discovery
    PID:7624
- - C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe
    "C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe"
    3⤵
    PID:7384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppCS\Assets\Illustration_OneDriveActivityCenter_BackUpFiles.svg
    3⤵
    PID:8108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff848453cb8,0x7ff848453cc8,0x7ff848453cd8
      4⤵
      PID:7448
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCAT C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat
    3⤵
    PID:8044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Agenda_EmptyState_Balloon_Dark.svg
    3⤵
    PID:3564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff848453cb8,0x7ff848453cc8,0x7ff848453cd8
      4⤵
      PID:6160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Spring_Left_Dark.svg
    3⤵
    PID:7276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff848453cb8,0x7ff848453cc8,0x7ff848453cd8
      4⤵
      PID:6312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Winter_Right.svg
    3⤵
    PID:7076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff848453cb8,0x7ff848453cc8,0x7ff848453cd8
      4⤵
      PID:8140
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCAT C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat
    3⤵
    PID:6292
- - C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe
    "C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe"
    3⤵
    PID:7760
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCAT C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat
    3⤵
    PID:7836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCardLocation.base.js"
    3⤵
    PID:1384
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupFooter.base.js"
    3⤵
    PID:7784
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\CompoundButton.js"
    3⤵
    PID:3508
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Label.js"
    3⤵
    PID:7268
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Coachmark.js"
    3⤵
    PID:4020
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\common\isConformant.js"
    3⤵
    PID:7524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\ComboBox\ComboBox.js"
    3⤵
    PID:6264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DetailsList\DetailsHeader.base.js"
    3⤵
    PID:7192
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardDetails.types.js"
    3⤵
    PID:7800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardPreview.js"
    3⤵
    PID:7572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\MessageBar.js"
    3⤵
    PID:8240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Toggle.js"
    3⤵
    PID:8264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Checkbox.js"
    3⤵
    PID:8432
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\ColorPicker.js"
    3⤵
    PID:8476
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\ComboBox\ComboBox.js"
    3⤵
    PID:8548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsList.types.js"
    3⤵
    PID:8572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardActivity.types.js"
    3⤵
    PID:8600
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\GroupedList\GroupShowAll.types.js"
    3⤵
    PID:8648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Dialog.js"
    3⤵
    PID:8692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\MarqueeSelection.js"
    3⤵
    PID:8732
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\ResizeGroup.js"
    3⤵
    PID:8780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\spacing\index.js"
    3⤵
    PID:8820
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\types\IPalette.js"
    3⤵
    PID:8868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\colors\DefaultPalette.js"
    3⤵
    PID:8916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-commonjs\portalContainsElement.js"
    3⤵
    PID:8956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\mergeStyleSets.js"
    3⤵
    PID:8992
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\createRef.js"
    3⤵
    PID:9036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\customizations\customizable.js"
    3⤵
    PID:9080
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\keyboard.js"
    3⤵
    PID:9116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\properties.js"
    3⤵
    PID:9144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\selection\index.js"
    3⤵
    PID:9192
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\styled.js"
    3⤵
    PID:6436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\BaseComponent.js"
    3⤵
    PID:8308
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\componentAs\composeComponentAs.js"
    3⤵
    PID:8372
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\merge.js"
    3⤵
    PID:8344
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\css.js"
    3⤵
    PID:7548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\dom\setVirtualParent.js"
    3⤵
    PID:8484
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\merge.js"
    3⤵
    PID:8556
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\rtl.js"
    3⤵
    PID:9076
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js"
    3⤵
    PID:10012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js"
    3⤵
    PID:10064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js"
    3⤵
    PID:10108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ui-strings.js"
    3⤵
    PID:10132
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js"
    3⤵
    PID:10176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\ui-strings.js"
    3⤵
    PID:6416
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js"
    3⤵
    PID:9524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js"
    3⤵
    PID:9360
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js"
    3⤵
    PID:9368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\ui-strings.js"
    3⤵
    PID:9320
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js"
    3⤵
    PID:9600
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js"
    3⤵
    PID:9560
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main.css
    3⤵
    PID:9808
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\ui-strings.js"
    3⤵
    PID:9832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js"
    3⤵
    PID:9656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js"
    3⤵
    PID:9968
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\ui-strings.js"
    3⤵
    PID:5920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\ui-strings.js"
    3⤵
    PID:9788
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css
    3⤵
    PID:9860
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\ui-strings.js"
    3⤵
    PID:9996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js"
    3⤵
    PID:6400
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js"
    3⤵
    PID:9824
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ui-strings.js"
    3⤵
    PID:9456
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\ui-strings.js"
    3⤵
    PID:9644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js"
    3⤵
    PID:7856
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js"
    3⤵
    PID:9448
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js"
    3⤵
    PID:9688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\ui-strings.js"
    3⤵
    PID:10264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\ui-strings.js"
    3⤵
    PID:10312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\ui-strings.js"
    3⤵
    PID:10348
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\ui-strings.js"
    3⤵
    PID:10408
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\ui-strings.js"
    3⤵
    PID:10432
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js"
    3⤵
    PID:10476
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js"
    3⤵
    PID:10548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js"
    3⤵
    PID:10592
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js"
    3⤵
    PID:10612
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt
    3⤵
    PID:10688
- - C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
    3⤵
    PID:10784
- - C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge.exe
    "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge.exe"
    3⤵
    PID:11120
  - - C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge.exe
      "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff848453cb8,0x7ff848453cc8,0x7ff848453cd8
      4⤵
      PID:6964
- - C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedgewebview2.exe"
    3⤵
    PID:11100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\show_third_party_software_licenses.bat" "
    3⤵
    PID:10996
  - - C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=show-credits --no-default-browser-check --no-first-run
      4⤵
      PID:700
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge_pwa_launcher.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge_pwa_launcher.exe"
    3⤵
    PID:8760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6744

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:780

C:\Users\Admin\AppData\Roaming\Falcon
C:\Users\Admin\AppData\Roaming\Falcon
1⤵
PID:6312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9672

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10720

C:\Users\Admin\AppData\Roaming\Falcon
C:\Users\Admin\AppData\Roaming\Falcon
1⤵
PID:5700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10936

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7808

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395c055 /state1:0x41c64e6d
1⤵
PID:11024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Falcon.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
41KB

MD5
58756d99d2376dcfbede6057dd25a745

SHA1
76f81b96664cd8863210bb03cc75012eaae96320

SHA256
f5d0da7b010b28a7fe2c314724a966c44068a8c8fa7e9a495e1284aa501067fa

SHA512
476e35c3da0cf223e773c2d26403c12f8c8d034273cca9e3c4cba9359f8506159c2a5267793c8bd9982b636191ddda62e9119593f5599053894c7027a58acc10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
7b60700a2555e543f061d037779e683d

SHA1
561bd2f1bc631fcfedecacbcfb0c35676a7a6336

SHA256
90ba4be6d2a6af6686dd5820f8931e5fd1edfffc898acced30dcf8f06eb13ab1

SHA512
cef7e69ff483f2ae39223c95ae6060bc4c8419366131a68740646737edb5bfb617058f8f6a4ff76dc009d6440214bb83141c3a3d5e52f6662d7225360804184e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
43KB

MD5
d9b427d32109a7367b92e57dae471874

SHA1
ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39

SHA256
9b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3

SHA512
dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
54KB

MD5
db53e47b3aa40ea5ebcdbe407337acf7

SHA1
a5dbfccb5544f4c06c771f475867b6651db9a6a2

SHA256
179579b42a4ea427ed49952febf546e6056b73d7d76def97ccf1b43994c52f99

SHA512
6602f03d333d5fba01de37d79352cf826044de11b6aaec4bb58b28cee3e954cd57441c29e8a244aa22c8592730f6f5e48be1522b35687c09f426bf3a1f5e2ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
27KB

MD5
da9335cc11a14227b61d8663d09ec33f

SHA1
8ff0398d03e930beaf80697ff8d28a0e47c0bd50

SHA256
f0b14d3cce2f618df61a2134588d44964ec9b35fbfc7d9388e3facf9e3d41933

SHA512
ea18ce7caa4c59069a1546ce390bee4f9f713fef8bebb6046a43d7344eec3c0944bb9bde2386ccf0b997cebc5dca12fd7243bb1ed4eb9acf30987ef12a9a7716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
18KB

MD5
ed45972610a9adea524820accc1fbe07

SHA1
cf45f9466e35186b44ad53a5809f10d1a9beffa1

SHA256
e50b0b40d0483e2aae4f7d87827ec7c93f5029322d83ac49b6d4aeaab5583df1

SHA512
e649ce67f072d44d203cf7d7c68633b40c0a79f3bdd075663076b53965d16d2900abb2c6a298a4ae534109fa48c9feea8c29c972b22dbafa132502c3b1297a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
d8bd59469456f995f74596d3edfb017a

SHA1
2d317458e22db79dfbf2e16d1f0885edbe61ed33

SHA256
6ff192c7874fedf185b62ecb118fadcdb073c00f1d84aa2c7e366940a180035f

SHA512
b11bc8e640c65e0a5621baccf253975d56cd5793563dedff7b175bb73952badcf5e438fcf188556e728967eb0cd0644fe1b0f91e5936d875ee446e74e5d8218d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
2KB

MD5
d37e668b713d36d5129b4d9d74344fe1

SHA1
8efdca71193d0a2f81452ac03f76f6eeed82e742

SHA256
60eaa9aa93019b89d75149e2b4863b54b389109d3d93bd02e89ec2342146251d

SHA512
a543f50548dfccf608cf07b1fa5b3af753115d1dad7eae983a7350e6fc59d863f46901ad3326c851292f021b6137e3bd4c7c1af616bffbeb7649ff643a185d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5d0c04f9998369cd_0

Filesize
3KB

MD5
e6f4a1bfe30c4000662fe0be465db981

SHA1
035c7acf41feaad6858b3ece863e6fd84fba7caf

SHA256
9e49c6e7d2539c6801ef04a98db09bb63c0777d2604cc1a179f373c8c791dc44

SHA512
3d1593274ad73a5455f28903b2b44b43bf3cce6826cc080d252adc00c6c11de9b4e2f21a0d2e128140196ed34cd24e950f1e7eec75df61361d107bc03c5601a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
1KB

MD5
c4db328b4e96887cdccb1b599421a5ad

SHA1
d87390a2889df2bfbb71350773f710193ad4189e

SHA256
74a79ee06bcfbc6cbda8dbfd1f289113a6fafeb9674e801836a3e2a1407de248

SHA512
bf0a1067996a4ab623bab96fb7fa8e532641b5a724bf55aa3e07aba26ce1c94ec038959b35ea96294aa4385f3ea453a925b4c1af7651c1d21c34a836ed9b725d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9412c8b664751f90_0

Filesize
1KB

MD5
ec1b8c477c0488532a41b0c2c10aabec

SHA1
21ec11361f21bfa089e269d5021f4b7a1bb8470b

SHA256
067c899d751075faec41cbfbbd83ed5d6b654d9b6141f637912c790008fcd797

SHA512
536712e49fa22c772b1ad50f5b7e3963847dd1ddeb41fe1f32d12b9a3bf4eb8693bd7fdada7a590679bae81195c95d8523e9efac7a8d1ae2d5b1186ce53d08a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\aa5fe3b36e22e31b_0

Filesize
3KB

MD5
dd6963eb0514842c3b051c330aacc817

SHA1
89d823604b21c1836f6b68f90e84e62ada4f09d9

SHA256
5949c45ac6138e8190e119c2373646a7dfdffdc453caa6796321c2f4fc17faa9

SHA512
fdf09a3fe27e7ba40d344df3f6827cc334ecf89b09f36ac3b40fceee6d61faa50f1d6b19611549f5789c7cd6049b863f06ed5223ec03d69ea0b99b33213d507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ac9b40a0411376f7_0

Filesize
1KB

MD5
2c30c4ed431bbd635ac9bcaca7363ce4

SHA1
972a593eda188c0bb7ad162ef33faecc9d28d715

SHA256
038426cfd7f1d84b0283af6531651cd2ed399e1364fb5d3007c35b1c83135d2e

SHA512
9e871b13d9e85065263243dd85802c711ae493f8a5b06eee272aabd57bdafaf112c6dd599d1ac4713dbc1be8a69404e922fa3816dceabb3ae7025972be26b09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\daea348421cbc209_0

Filesize
2KB

MD5
399f5cdf9854daa922af4ecd835b0e7f

SHA1
74dbe4399d27b835b60a362110bdaa291c934609

SHA256
427bfc90807dd171ce698a62a439fc2080c095c324f03769df0113c7143a757c

SHA512
9d2cf47dd98660d11ebec5dc74dd16d95e4c934cf7de7283a5aad09783cad41f85bc5e170dbdb14246922a58e69d061548efa1eaeb57043f976b3139298cdb8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f89251fac2b69325_0

Filesize
3KB

MD5
bcee17c1959657c4d16bd5bd4a11e74c

SHA1
eb837852fe040fb30ff8b3d2519d847fb6d1881f

SHA256
cc95f00208f0a0aba3db67d4bb50d4d5b33a8238182fa6157ba0857569e50f6e

SHA512
550beb5981a3d2c5e8b7b9e1dd6ca576365d972708d39064a1c6e3d4797ace7bde79ff110defe0e7b6cea5d21032a705aaea5757c66e67e11dee0c2dc5711219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4417a46f4554a70769b5c829d3b2fdb4

SHA1
ab7912be830515004d8575527294341e4e97c10b

SHA256
a7fa78648b6bfcc6680255733f07b8835cdfde67b51496c3ecafef8c1f20da53

SHA512
605272266fb613396db3da20f23d2ec831a78b16fc70a422bec0cf38e4a0435e5507a659315ef05c7d2d5465cd896ec4d9c7fe06b6959746d4d680d7fdc03dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
b616028df4a69a77b1c329727b63449a

SHA1
ef8c55389ca69c6adb3df640f4d0b95719cbb4d0

SHA256
dbfe0dde1c9bdbffecb689b818438a98d2bf373688d27e004ac5595951bf6054

SHA512
4c4e289269e55adb03d78201178713b996cfce03b17248f3a390f66baa6bbd51595869b0b81b09e6ca9a3887f62f6fe047a899c854de7ae28ebd7b5e9613728d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
dab2faed7d400273a5ffb8ff387d2087

SHA1
3ec6ac22ec12d2050a503a00a2cf9a97e3cfefea

SHA256
a9e653e3d08193e4357daa3b0b4c2f27cafe5d7e318caa3495b3d993ebd8e0a2

SHA512
7e172bec16fe331fba01d67954fa99dacff03a4acd39c957773c87775bdc77c06e06a4bf11b1b6e66a98cf9d3522df7c35045d69ae722076efa34a105f5ff6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fe41650a55542d471058da51afd1077e

SHA1
093831c13dbc82981de8919d763d678d1c64e1d9

SHA256
5f56a5b6f4e1130d45b6e37f1946a779982186321e98310aa45da3cb97c99f62

SHA512
f3f3f3e770afb7729ab5bc741e1fe7a7abf86ae3265929b43f5e6901a943c5e81ba7f3b2e4b508d8cac4e7e50bd5cee697845cddd5ba58439c7cc46de948aa11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
047dcde18249ba4fa38d7a3a5e686f49

SHA1
6269ca578aba5dd1f248d90b10bbc729aec937be

SHA256
10c79e10d4464793d69b697392d227c2533deafacaec954af3d6db34e998df9d

SHA512
c2d91fa3383fcd95c91eb8cd74435861e8eacb14995ba58dce5462d75ec1044ff3111a52ca881a816d3b7d0233003add24ab4cb0eb77357fb0407cb576dd4a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
75ec2d55a94e6a888cee78d2039e35dd

SHA1
a6df5c2913cc0e5d60e3f30f7ade332db0b107b4

SHA256
a7069d7e57c4babf295760ccba09fe88c5b6d3b437cd33aac9b22c5e44ada2db

SHA512
9cdb6e6e402acec20ee057c574730f4941e523c7cd3d39ae575eab8420e8c017a24ed11bc0e829ca128e2fe30da3f33386884fd52778f731f2e61143152abc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7c82fcb7b1b6b4d6a73f2c28917a7084

SHA1
d9701867218bde45704e6214815223c5a7e89c60

SHA256
5d820cfa1c4842bf982132ea720d531307ce14aec074285260ee98d93525d37e

SHA512
86a80425b1032675b8eec0cdee3c5d3dc5bd7d4713ba0484ba94129b8df779b5edf708d32f511d779066171e6840a14cd434e37a589af6dbe53351ee49ecd8fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3adda6a1ef51747bc91229f62f9638f

SHA1
b6979b1b8b05acf1c44577ce5dfa1c997a16b055

SHA256
634351346f143dc45e7cf17806c4a53ab3b44c6ebaf621e8b1d7e899b6616be0

SHA512
eb4b88c1b57916611d81276346758129ee7e63c8f0156722c3d1a45113aa2f42da77b5a6776b499090213418adbad3e3a2106790b990fa74449d92f9cc9fb437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e18bea0743939bb57fe421e4551de38

SHA1
b3805d4bfe86a63961b192182a0040ebfb9984ae

SHA256
5dcf9a6f6b7476ffb95c62ec778c2e7c61f6c425787e0261ba5f8a5dd494befd

SHA512
060e2c1a1d54914748faab6f99e4afdf04a7138c65367339bd0c9d9da8aed4847e61a14c584740bca85a38a6f25694b988449bf8085c48d703f574d2ab3f8f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9eb4373ee3c064bd8226eac14ec6d49

SHA1
a2f37fd55050a27dd9bb7dc04197a1f16cd6518e

SHA256
f8331211fa60829320d148a92c69aa8706d003d8ac86f56f650abfad3e4a5c36

SHA512
ae0c951fe22008b0c3dc280d3b2c25799116166c09523d5dc49b939fcc2f33f2b605e3c7a658826a3f0041519f4a8790e9fa41458958ae8d24b8ce74240323a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89843dd32420ea80c272793e259b9ec6

SHA1
f5ba1b1eb16eec8e135fa2196616c4683f89f19d

SHA256
c8cd12d29fd4c0daf42259312ed4231bac71203cfa68cb7f94e654ba45bd1d35

SHA512
1ee6dcbf7bf68dc00e6aa59f50682d8dc5d683d12c6a801d6454b4f04100182147001a94ea53414db5f6d826958cf4bddf3c15ed7ccf37255397caa48fc2d77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0dbc4d8b0df4f9ccf5bf6328dc70af31

SHA1
e78fe8496bf7925869d61df4ad993e30795f3699

SHA256
eca123863cf5128e394935726631c0b75a5155ce55f422aff6a2176da4153ef9

SHA512
a5a6976b6c487ed161d22e81db437069a81d335359948d6d664b3e56d88d5053d5ef8d1af4b22d3192a83515d2bb3038ed9319cb5aa7fe8c2f555928779308dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f64f7ac25dd110803d86cded95041ba

SHA1
d5b631227b66bbd1d5aa2bec79edffe8468fd9f4

SHA256
059f3433d65785d120fb025f6c4dd579b298dca53dd5038c436ace17af4fa35e

SHA512
c8f6f2807ba3e02ea353e7338178b0bd29fcfb91dc749b54a9845781a2af396edf94c40bae0d3b205192096c30e985f19059ece761a7e96c325bd9952a68bca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b819bdd5ccd95bf61a2e61b711b06663

SHA1
45abf5f663a1658f53f872e4c27016896b5276e0

SHA256
de72370f67bddae0e245bea1671b1d4ca12ac1f98bb6827a086433f0b7e967c8

SHA512
a26c7c60e0033d4a8f07574e4c2905f09261d7e404d72256de3742f3c5885a12a400388c765d337dd8cdb4c571a1a221685a7289916527de437708deaebf9f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59ad3e.TMP

Filesize
1KB

MD5
22ab7a940fb25eafd5dcf58a6b8a93c6

SHA1
bbdf9f2a3c444d62449780e56fe0b2b89ba5b691

SHA256
bc628167ea7a5e8011716d3c7e93ad88dbc07354d6afd256484d1f77378844e6

SHA512
f5dfcd90d449b925c52dd4fa9a8c7cb958d784fbd66cfcaca9100066a5ef6fb4283e7f5b22b467a3cb99340f84d9d25e227fef088d5da8013516152512a65929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e04acbb22d82a02a20b3fdf4e7863d77

SHA1
c702f3ad18b7790f920b8a86140c2e6dee60a91d

SHA256
a0b8cb3c3b5fa2a96197feb561fa714925a14c61d56c099ee06d55dfb337b8c9

SHA512
b209129aad3ab4c81b6dc2540b4d964412bcedd49e3ae2df29f3745a8bba993f73c215a2d8d2333afebb273eddef0e0956d01a5603c0ce96fc54341ed2f4dafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a1220cd93b4c049eb7d46043fa6cdf2

SHA1
8e0aa0ed1253e296bdf9520f2f7e7e44c895875f

SHA256
43251509aa79b180990b8e1cd41d8e4a3c07575f9bed8019b5a0b51dc756e54c

SHA512
0e18f8608c6aba714c89a60e55431a2e433a5ff7641ec8ec5dc639611bc505a1538fa2669d68d4adb464fbda46d1e502ef797e5795070fad5a259493d03be963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71030f592b049fb0e7089fefcad6b153

SHA1
984c93ffa52da2741f30a0f1f350466c820bef76

SHA256
a5e45a93b8a686e7aca03d9caa307c8952cc70842d31e3b3398a734fd824157c

SHA512
47e0b679caad3cb77c3927dd631ba7567b5a9b86682a09f1a0b42628186153cd4b423125368a1d9e8a29aebf3938772d4efb859b6f12ecd969e6b2c44524bb90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f2914e025d73126ecafdadd10e48e5e

SHA1
8c7bcd6ace4c9d3e72b98f154e1eb66ac1c0df8e

SHA256
d0ef1c4aee817df51c35c053d308e0d3040052724aa647a71a4ec7e58a2e66f4

SHA512
4076c962398a58a11617cdb601c095dbfdb8029abc569479591166c98ad7d13d09a871b4a69ad65abca505af31d8229ebb498be68282c74d264f8bffefc60209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
30190f43c8df8ab64252f24d775c3b83

SHA1
a1e9bf3bf02655718802a532d0b6dd8b31118e1c

SHA256
50fe74b2f605b2d37c6f8e90a484b57c7892f34f48fab71418ad6baba1dea847

SHA512
bed1e114997ee474fa51e071e8ad7862c101a78b085be32aababaad1f403326930be8ac64b5f626fe724a34d7b5c99dd544c39946940711f03457a015676f90f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1406e40bc90234838ab278843448a11

SHA1
7e056692cfcf53a92ba8582a5fc0d2a418ef0c81

SHA256
fdc53165753f599dd5a22b0bd229f8e4c63e73dc47aece0b475c79a7255b1d10

SHA512
8ada81e44b16bfca0141dfe52a0b63e3cc7827b8dc45bfea87f834ffb759eeac87426c722b75fd76a447ab5efb69e0053b9fb34bd42d40b413a48f702eb70ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json

Filesize
36KB

MD5
7cb5a2d5ca8088badb5962bbd3d9a9a3

SHA1
9ae6cc01d69a2f5bc1eb45d88feb0881d4730236

SHA256
ff30e22bf244b34d694ef31f2c973534a57b8fdbd1b21c94885a2b7d63f4d973

SHA512
4d7316339905b556a0800d946b66daef36c965fc08e6e94434e7a7acbd967a2ce86abe109d6ad1aedce35ff8fc042d5ef7a1b2e11d561421fa58c334aad48bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sdnj23h.5o3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwarvn.mov

Filesize
221KB

MD5
f0da07f225ebb1da25f1da6218684511

SHA1
119068db8948e9027b34f903c0b09dea5f169d0a

SHA256
d776e9eee0776fbcf17d1729300ba4f5e3621bd238f1bab08a3358a06c260534

SHA512
82e7dbc6cd14edc88d838367c8b33359b08ec719bc17ade9a5b3622dba7decda509089f8fb284bf5fcb84a2c562789e9fcc47ba596cb888233737aa08b82b315

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqDB9.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\麓騒仔躺瞗詢皽滅哭师犯懶合馠嗃廒.txt

Filesize
260B

MD5
de9cc24f9cdb9b50e5713a854e7d2fe3

SHA1
da895eb00e8999da35f4bd3906b5c08cface6bff

SHA256
c0622c7e26ebaa79fb4950d39b656e29a2392b5fb3de15bb22ce031d8c6ceffa

SHA512
75d1ce72321502b35082c0191a7c8b4b171990c1a5f4f62be69153ee5e73f5c6b0bcd6014dbca7fdfa68021896af982873137722074290f6f5ba1fc22ea1fb09

Download Submit
C:\Users\Admin\AppData\Roaming\Falcon

Filesize
41KB

MD5
5c62d9be667e8d03c0ef82fb4b74c965

SHA1
25836658f7421e5c7ad842e8a01bfaeeee1ced33

SHA256
fed171984a55cc4e3a005fe373e2c28f62d81324674bbeeaba1f95db97a2c8e9

SHA512
a25ddef859675a66a6452421bec9a8593dc77bfa06ac0c704fe1907ecdc903458c4f2383a29d3e3d56158a22248c3d34fe92d20ee346f42e6949cfc9d4120553

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
a8778598a2588c16597a9f61e9ac6d63

SHA1
360e820f9ac95720fc7a809317d46cadd6e57069

SHA256
948b64af12a3bb3c1bd5a9d98ab58fb24a04d9b3281dddc7fa43fbb1bcf4d6d5

SHA512
5d1c66a307a7e9786fdd0c556080631a90aecacb2121cb6564f64fd3b2c8a07d98a2da83a3aafa86233bad2bb9a313a2b093d62566441142841ade92a4a69ccd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
29c31826f687243bf7a916b340782ac1

SHA1
245d4589a6abd71ce0709cb89077986955f9689a

SHA256
203fc23e5731821d18c066fc0935b4c121f185c50580c75a1087bf919758a34e

SHA512
5b52ac2726d2a5fbb92c41ea8a5fd1cef6582b006ae046a98770807be7131cbf5c63d62319d2fbdec4043706810d26e5cbdad60e22bae16b93b02be46a93abb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

Filesize
8KB

MD5
9c057771c3aeb4b28ca4043a0d197ff2

SHA1
b8ea8cbdfe5534edad2dbe80577f995d4603a10b

SHA256
8886579ae6e6c230cb6b708c94ec84cc43dbc0e3021ff8becefe11109aae472d

SHA512
3d597107c50e0ad4d0df52523804e0a919996dcaf2cf2bb92c8c740fb3feb70fe77e84018ebdb5b6e51988e41a2869de78405389a016757614dcff2c181e979d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c6cf32283e3896e50771bbb1bb58a060

SHA1
5a0e4102ec58aea1a16a6ca2eca0e60fa226d5ea

SHA256
7d5aca8a8a550c696909da1a85e73104f5faa7b831fc8678acd185e1b9e56b98

SHA512
cc3d108e776c8cfd09287f9fd00b0e2c782ce5682bf43b5a5cadbb07861c573a90f1d0c0dac4fd9e545297f21df1f8e5ae4e771bd2ca8b69ce2fbf2f2454862f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
a7e70486a72ca2c9b699485ea038cf8d

SHA1
26e8c93fcc8c59cad80a563ffb6f68adf8535782

SHA256
ed917352e4d66f7855f41cac1d16fd22b74188f06dca231d9db828f54c62668d

SHA512
759cdf4248e9f5f25dd60af34d0c803fb48dcfbb6add2c446aaf2089856b0cc23ffb233bea148a4cc57cba3e91f033a44c7f16e661a1df1adab8f3337bc8299e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
0ad9eacd2784219cec075a0e970856b8

SHA1
e1a5827c38cd840215cff0f3e7a48956a64856f0

SHA256
ffb89c40ce0dc6ca3fc2bdb205e218b482eba44091ae69d09cf3d7054ad229c9

SHA512
684934bd79e26c4b4de53de6f42448e69436d4ff6271764b37cd872e1d85eb825e3f644ad9060cc50688d74be6ed93ba7bba78d9fff1fb834e84d972ea8344d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\844ecdcb-76e0-452a-ad47-9e8f20dabb05

Filesize
982B

MD5
1a419a79ecbc27f34e7a12416b4b7a61

SHA1
1e3a47c03e9f2b40badf4471b87868733bf9932b

SHA256
8901f827bbca70fcddfb48f29b3cf361fa5d18f3471da01d2cbc2b6dcef90ace

SHA512
b8095e574a1f17ab7aa73653d62ddd562496246141a0f7f1c84599358e8f1272df5d52aa1bc03aac42d7a26949834807284565c8e0a77e7d5d679f879c6f4e8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\b780c65a-d7c9-4925-9d35-e3baefefe116

Filesize
26KB

MD5
5c12ddb13c22b9815017fbfc41424dcb

SHA1
3f87caf31a034964906002f1e47cf2133608f70d

SHA256
d7f43417035f2921c8cde59b65c32d44feb4dd781fa69872efebddaa12bf1652

SHA512
34833f9ee2b877186ad757bba38f8abf2c6eb65eb58393065b974feb1e788487850501cf8291543ab2f9bebb9c6df15a07cdc6eee442c19bd7c2d724abcb7cc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\d440a062-8a95-49cc-afc2-b29040b52585

Filesize
671B

MD5
121f02f4ae2206a632c3c279792c3757

SHA1
1dfdaf6e95f5d38c289050ab789c44d335c0001c

SHA256
38189d6a1daac8c9edad9430776cd7cb3babf29a9cc077c511a35c8d7f0f6f92

SHA512
68c43b27cec1f99610f68f074505548c9695b90f1b6fa7cfe347b9600dc4b827a9904c6b23efd0b51b28c93cecbe9ec71e220f2528a55748c19373a77d1c2fcb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\places.sqlite

Filesize
5.0MB

MD5
79c2052b200613608b25ef0b58eb31fb

SHA1
1dee56cef26bb510f9213863a1ff2a9764f5db54

SHA256
0a42b6c93eca76a607176929e4c489b3ae2926c3ecd4a2548ad9f913165b0ccc

SHA512
5101acb421bc4920c38edd9e1b0ed1d61cc39e2799c745fbb7dc1de6b0fe5f3746d7f11b1ac33c23d43772ad7b21f9f343fd2d9bac5fdfde8f988e62ca3d48bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

Filesize
11KB

MD5
0728085261cb70e396c5082cedf0971a

SHA1
1c87f4909db605e8537a9ee5d74cb10397605734

SHA256
9b418ee45eab0f83500fc984ac8a88d08b9db1af5237fc1271783bada8dd99c0

SHA512
63087201d01ae78352a259f8b91bfc6d42e68d35965d5c97b0926c7720d0d479c042119c261a6137e0bdc5404c4f001d4bbf061692fda61a4a568d8b35aad950

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

Filesize
11KB

MD5
c0991743f83a66506ea8f3cd4492aec7

SHA1
062ea8084010b0ded6682a854e443cb2f69687ff

SHA256
6f0a269332cd90fc10bf1580d2581d8ea2b65b9f6dfc0581924ca4e066cb90f2

SHA512
9337b4426c31ca3c8ffcaf2850dfa43ebe14e32bd7cdfe6c904bc7ae30c22c2e301d027a379137345f5902f3e7c4ab50d5c9e6f0e83ee679c0f58bb4559ac442

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

Filesize
10KB

MD5
f7fc88777019db9f336bc09410c1ddda

SHA1
0f4287b75b709e6f03251fbae3cd0c06b3d0e1cc

SHA256
11e15e724a269898ec83821adc7842065a50283264c3be7be5d788c94919bdde

SHA512
55e0d02cd7b2d2b68d582fe7997e76a8e24341aa192ca5fa5c62c4abf602fb9b6b09d74f61a6548547105be29fc66aa8d30f82538293200454c8bb1d6bbead85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

Filesize
11KB

MD5
b23044690b053544d53261ebc0c3d774

SHA1
d6e68b5d8661d5a4675a1c132843b575e29ce55d

SHA256
370b1523deb89253bb7a844e3b909cb98927e63c5f41bfc81c2aa2f09f679037

SHA512
c6828e6ae1a2d02536cd74636bcab262dae9554c843e19fe3fafe487d0178931a00045f35e046e809ac4cbb9ece624d559cacb81cf43f7d2bdca638deede6ca2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
877772a5debfe26445f9d634e7724836

SHA1
d1f77db4706d7328cb76427ed8ed020d9412873d

SHA256
e7b6452cbfdc596051c62d61621402a30c58bcebbb6bda6737b623e1e82b5e68

SHA512
f4093185d3438f0847baaa6e8e77ddebd9e9d84ae89998765064089d97c545a99b17941da8530dc61c460cc79c9235b5d4ad8ada7994fbc86b7f9dfc71b721eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
77e806c597d877c7fa7702169c300142

SHA1
5b53017f2c3e7fca8c9b02bcbb9ca1f72d563622

SHA256
5e4f4d91de8be38efbd4bcd70c3cb658826c7fbfe33d3acbba79d0b3ad9fd7f3

SHA512
0697cc144df46659a1ef8567c086a9d3320bcf54f57b25ba37ce1bd26fb114655707beb913de8cfe93d58a3293089863807f3822ac8029955f7d8cdc7a680856

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
755814889894f1cc8cd3f69c955314c7

SHA1
27f82757fadb25b4a54b49d2108fd005bb2f6d6a

SHA256
9e7ea17c0dd1ff33488d005a766bfdbd9228c5a97aa052cb624dc73acef937db

SHA512
de6b7e086589579c26d6adb61957854ecef1b8912ba61284deeb9209c66ba429d4b67ec793dd1df87184528b161e47a6ce61bf9ac57c6362378bbe0853d3896a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
2aaf39f4034f83c6971e5d891fee071b

SHA1
ec4ed07b593e949f7650fa1eba092b77030c6250

SHA256
0645455f9b45d9a4b0f3f2a86e128bb7f8cf0ccb97769a8b57a61e4da6c958cf

SHA512
732959f340aee96edfcb51e38d66cf1dd0cafdc8bc06342dc9bcdb31eef1e9d34d780ad546790cc50810cfeda182786bdfb9deabf176fe81b5d1f601413dff7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
2b3dab066de147dbbc542e7fff68861c

SHA1
c12d7db3069d5518ad76c9e2901fe6f72cf8f0c4

SHA256
2e7bbc7e10c55603d67c6062872513663700afa19fd179ca4d74943394f17c38

SHA512
249512b3e467cbdbda69a5a2a85860bfd1f020b2ac4b9b0c9e5060514ccc940d740b2f9faac1eb467dd2935d8ba89d3ea6fa54842c44251083d9d99e0ebbe555

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
5cf0ea5822157a7e77f4ac26f8743ebf

SHA1
cbd87ffdaa1125800d6faa80caf46686c670ec09

SHA256
fd1038d2c86b4848a8655b3447fc6ce93b4e14d2a996cb73ccaf229793757c03

SHA512
0268bfa95090912265e4a8ab0a1254bc97742ea35f4d074c478aa8065459be52f19a6ed19ee62f0b9997fbb97602d76b41fe386d7033195220cf8297d989eb52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
2aa7a83d042d0829f55ebd6eaa6320ef

SHA1
4b436de414f39cea2b4f4bdaa438cda3931a05e6

SHA256
bc2548e5b242539e59f9d21faf837a0d3d5f874228241c54f8977ee90ea702ce

SHA512
25055244faeb76537cbcbc99464a7b105843751ef38f544fce6694deac173d36b97cd8307e404c642b79f2867a14d6598db4c528d52f7404704a9740ec1376d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
d79b03b3476a12c7d08c51fa57deaaf7

SHA1
53f988b5c63013bf1f4af1e752a1f6dfa4325510

SHA256
c6135e43abab006d15c4585838946c29022456c4bcf15cbaef37c5d0382408e6

SHA512
1485f7631744771c5ef3102a32a7c80529578d5d8024ee480b85666fc5ccbd3e6c17f6fbf8712fe8cc40b540f00ca0645c11b91e6d5bc0fc3840e9bc66c31685

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
fa941e455409baa6c4a047119eb33f3b

SHA1
54b013f4115cd579ede3e9d4e64df6c0894ccaa9

SHA256
87d98c9e458f094ec91483fb528afbb2d3d44bb9fb3c5cbccc54026b5a7bea7a

SHA512
b5bc22f834c6ed86329217e83ffc57ef69e7e280a783f60d7edd0a2dc1c0a768402af79f58242011ed2db58086857225621cc38c25def3bbc46dbd3b9347b262

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
9514237c10ef9e6dcc1c0826bc6f2ca7

SHA1
82cba885af6f80de0ad3c3d736e4376d1cf7d5c1

SHA256
a225d9a312e86f5a02b149e5e02a5b9583b3df9a1dde49cd690670e6db6b2677

SHA512
fbf7e612a0f86bca961832c274de682259617775d7641c96ddc51b646eba87a233a2522c54bdf291bcbeeb85ee83bddcdb3a170adadeaf9bf94b2c87e4cdc4aa

Download Submit
C:\Users\Admin\Downloads\Monoxidex64.exe:Zone.Identifier

Filesize
66B

MD5
ae094372f9dba9dbe801afe3a12abd07

SHA1
e72f2c76d20769d4232c9a1661d57985d190c6f6

SHA256
800836a5711c875ecc8277b3d85e61d5bd2adc04722b496a4fb15bce3a453941

SHA512
20a40af65386e323251b806f3832570192e6f50d4d2cff6ecdb0be171fdcff9e001033ebcf105adc7933cb5c8bacd1001e8cce1fdfdb251ab6d9a26ee8e192c8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 106011.crdownload

Filesize
330KB

MD5
692361071bbbb3e9243d09dc190fedea

SHA1
04894c41500859ea3617b0780f1cc2ba82a40daf

SHA256
ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe

SHA512
cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e

Download Submit
C:\Users\Admin\Downloads\XClient.gL0AF8O8.exe.part

Filesize
4KB

MD5
d2092dd42fa59320cf8190dfcfdc64cb

SHA1
6d098371ebe44fb62da9a8b9f954779268aca211

SHA256
7bc9eb5b41bf11ac565d0ab48adbacc31a159d0e9596ec23f9441585b651b777

SHA512
2ef4dc4710efa1af01d58416ce1aacfe1681a56f605707616c69c816c3a5d8fab5c6f1d4569061d8068bc61581a6aebe3bd5955fb874eacb2755df121f804762

Download Submit
\??\pipe\LOCAL\crashpad_3940_GBNZNYUMCMALWDMZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1960-1880-0x00007FF83E000000-0x00007FF83E20B000-memory.dmp

Filesize
2.0MB

Download
memory/1960-1871-0x00007FF8601A0000-0x00007FF8601D4000-memory.dmp

Filesize
208KB

Download
memory/1960-1933-0x00007FF826800000-0x00007FF8278B0000-memory.dmp

Filesize
16.7MB

Download
memory/1960-1873-0x00007FF868FE0000-0x00007FF868FF8000-memory.dmp

Filesize
96KB

Download
memory/1960-1874-0x00007FF866760000-0x00007FF866777000-memory.dmp

Filesize
92KB

Download
memory/1960-1875-0x00007FF860730000-0x00007FF860741000-memory.dmp

Filesize
68KB

Download
memory/1960-1876-0x00007FF85BEF0000-0x00007FF85BF07000-memory.dmp

Filesize
92KB

Download
memory/1960-1877-0x00007FF85BED0000-0x00007FF85BEE1000-memory.dmp

Filesize
68KB

Download
memory/1960-1878-0x00007FF855760000-0x00007FF85577D000-memory.dmp

Filesize
116KB

Download
memory/1960-1882-0x00007FF855650000-0x00007FF855691000-memory.dmp

Filesize
260KB

Download
memory/1960-1883-0x00007FF847A40000-0x00007FF847A61000-memory.dmp

Filesize
132KB

Download
memory/1960-1884-0x00007FF847B80000-0x00007FF847B98000-memory.dmp

Filesize
96KB

Download
memory/1960-1885-0x00007FF847A20000-0x00007FF847A31000-memory.dmp

Filesize
68KB

Download
memory/1960-1886-0x00007FF847A00000-0x00007FF847A11000-memory.dmp

Filesize
68KB

Download
memory/1960-1887-0x00007FF8479E0000-0x00007FF8479F1000-memory.dmp

Filesize
68KB

Download
memory/1960-1879-0x00007FF855740000-0x00007FF855751000-memory.dmp

Filesize
68KB

Download
memory/1960-1872-0x00007FF83E210000-0x00007FF83E4C6000-memory.dmp

Filesize
2.7MB

Download
memory/1960-1870-0x00007FF7A02A0000-0x00007FF7A0398000-memory.dmp

Filesize
992KB

Download
memory/1960-1888-0x00007FF8479C0000-0x00007FF8479DB000-memory.dmp

Filesize
108KB

Download
memory/1960-1895-0x00007FF840D90000-0x00007FF840DE7000-memory.dmp

Filesize
348KB

Download
memory/1960-1894-0x00007FF847760000-0x00007FF847771000-memory.dmp

Filesize
68KB

Download
memory/1960-1893-0x00007FF840DF0000-0x00007FF840E6C000-memory.dmp

Filesize
496KB

Download
memory/1960-1892-0x00007FF840E70000-0x00007FF840ED7000-memory.dmp

Filesize
412KB

Download
memory/1960-1881-0x00007FF826800000-0x00007FF8278B0000-memory.dmp

Filesize
16.7MB

Download
memory/1960-1891-0x00007FF847950000-0x00007FF847980000-memory.dmp

Filesize
192KB

Download
memory/1960-1890-0x00007FF847980000-0x00007FF847998000-memory.dmp

Filesize
96KB

Download
memory/1960-1889-0x00007FF8479A0000-0x00007FF8479B1000-memory.dmp

Filesize
68KB

Download
memory/4132-369-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/4132-303-0x00007FF84EF73000-0x00007FF84EF75000-memory.dmp

Filesize
8KB

Download
memory/4132-514-0x0000000002DB0000-0x0000000002DBC000-memory.dmp

Filesize
48KB

Download
memory/4132-607-0x0000000001210000-0x00000000012C0000-memory.dmp

Filesize
704KB

Download
memory/4132-608-0x000000001ECA0000-0x000000001F1C8000-memory.dmp

Filesize
5.2MB

Download
memory/4132-622-0x000000001C950000-0x000000001C9DE000-memory.dmp

Filesize
568KB

Download
memory/4132-1300-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-1305-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-1795-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

Filesize
32KB

Download
memory/4132-1304-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-1303-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-1306-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-1-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4132-1307-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-2-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/4132-1301-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-1302-0x000000001D7E0000-0x000000001D7F0000-memory.dmp

Filesize
64KB

Download
memory/4132-1978-0x000000001CBD0000-0x000000001CCF0000-memory.dmp

Filesize
1.1MB

Download
memory/4132-0-0x00007FF84EF73000-0x00007FF84EF75000-memory.dmp

Filesize
8KB

Download
memory/4132-468-0x00000000011F0000-0x00000000011FE000-memory.dmp

Filesize
56KB

Download
memory/5276-302-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/5276-286-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/5276-284-0x000002795EB30000-0x000002795EB52000-memory.dmp

Filesize
136KB

Download
memory/5276-258-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/5276-307-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/5276-306-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/5276-235-0x00007FF84EF70000-0x00007FF84FA32000-memory.dmp

Filesize
10.8MB

Download
memory/5824-2052-0x0000017C77660000-0x0000017C7766A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads