Resubmissions
04-10-2024 23:32
241004-3h9dkaxamd 804-10-2024 23:28
241004-3gg8pasdkm 804-10-2024 23:25
241004-3ejnqswgpd 604-10-2024 23:19
241004-3avkfasanm 8Analysis
-
max time kernel
316s -
max time network
317s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-10-2024 23:19
Static task
static1
Behavioral task
behavioral1
Sample
desktop.ini
Resource
win10-20240404-en
General
-
Target
desktop.ini
-
Size
282B
-
MD5
3a37312509712d4e12d27240137ff377
-
SHA1
30ced927e23b584725cf16351394175a6d2a9577
-
SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
-
SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05
Malware Config
Signatures
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule behavioral1/files/0x000800000001ad25-436.dat office_macro_on_action -
Possible privilege escalation attempt 25 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid Process 4848 takeown.exe 6112 takeown.exe 4544 takeown.exe 3520 takeown.exe 5704 icacls.exe 6020 icacls.exe 944 takeown.exe 5468 takeown.exe 392 takeown.exe 5388 takeown.exe 3020 takeown.exe 5956 icacls.exe 5436 icacls.exe 5148 icacls.exe 5196 icacls.exe 5780 icacls.exe 4836 icacls.exe 1560 icacls.exe 4856 takeown.exe 6136 takeown.exe 5484 takeown.exe 5440 takeown.exe 512 icacls.exe 5660 icacls.exe 5608 icacls.exe -
Executes dropped EXE 5 IoCs
Processes:
Prizm.exePrizm(1).exe0x07.exewinconfig.exeDetectKey.exepid Process 6104 Prizm.exe 2412 Prizm(1).exe 5092 0x07.exe 5984 winconfig.exe 1164 DetectKey.exe -
Modifies file permissions 1 TTPs 25 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exepid Process 6020 icacls.exe 3520 takeown.exe 5388 takeown.exe 5704 icacls.exe 5660 icacls.exe 4856 takeown.exe 6136 takeown.exe 5956 icacls.exe 4848 takeown.exe 1560 icacls.exe 5436 icacls.exe 512 icacls.exe 5468 takeown.exe 5484 takeown.exe 5440 takeown.exe 4544 takeown.exe 5196 icacls.exe 5148 icacls.exe 5608 icacls.exe 5780 icacls.exe 4836 icacls.exe 6112 takeown.exe 3020 takeown.exe 392 takeown.exe 944 takeown.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 103 raw.githubusercontent.com 104 raw.githubusercontent.com 105 raw.githubusercontent.com 106 raw.githubusercontent.com -
Modifies boot configuration data using bcdedit 1 IoCs
Processes:
bcdedit.exepid Process 1064 bcdedit.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
0x07.exedescription ioc Process File opened for modification \??\PhysicalDrive0 0x07.exe -
Drops file in Windows directory 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
WINWORD.EXEfirefox.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{3B0FFBFD-2397-4E92-A9A8-376745DE7AA9}\8tr.exe:Zone.Identifier WINWORD.EXE File created C:\Users\Admin\Downloads\Prizm.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Prizm(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\0x07.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Prizm.exePrizm(1).exe0x07.exewinconfig.exeDetectKey.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Prizm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Prizm(1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0x07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DetectKey.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEfirefox.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Processes:
browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefirefox.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7f440480b416db01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a4ba1a80b416db01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1592df83b416db01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a5e2cd83b416db01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 575af77fb416db01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe -
NTFS ADS 5 IoCs
Processes:
firefox.exeWINWORD.EXEdescription ioc Process File created C:\Users\Admin\Downloads\Prizm(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\0x07.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier firefox.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{3B0FFBFD-2397-4E92-A9A8-376745DE7AA9}\8tr.exe:Zone.Identifier WINWORD.EXE File created C:\Users\Admin\Downloads\Prizm.exe:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid Process 4704 NOTEPAD.EXE 5304 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid Process 5984 WINWORD.EXE 5984 WINWORD.EXE 6048 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
0x07.exepid Process 5092 0x07.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MicrosoftEdgeCP.exepid Process 5260 MicrosoftEdgeCP.exe 5260 MicrosoftEdgeCP.exe 5260 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeWMIC.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 788 firefox.exe Token: SeDebugPrivilege 788 firefox.exe Token: SeDebugPrivilege 788 firefox.exe Token: SeDebugPrivilege 788 firefox.exe Token: SeDebugPrivilege 788 firefox.exe Token: SeDebugPrivilege 788 firefox.exe Token: SeDebugPrivilege 788 firefox.exe Token: SeDebugPrivilege 6036 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6036 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6036 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6036 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5708 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5708 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5708 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5708 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3004 MicrosoftEdge.exe Token: SeDebugPrivilege 3004 MicrosoftEdge.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: 36 2928 WMIC.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: 36 2928 WMIC.exe Token: SeIncreaseQuotaPrivilege 5384 WMIC.exe Token: SeSecurityPrivilege 5384 WMIC.exe Token: SeTakeOwnershipPrivilege 5384 WMIC.exe Token: SeLoadDriverPrivilege 5384 WMIC.exe Token: SeSystemProfilePrivilege 5384 WMIC.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid Process 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid Process 788 firefox.exe 788 firefox.exe 788 firefox.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
Processes:
firefox.exeWINWORD.EXEWINWORD.EXEMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe0x07.exewinconfig.exeDetectKey.exepid Process 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 5984 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 6048 WINWORD.EXE 5984 WINWORD.EXE 6048 WINWORD.EXE 5984 WINWORD.EXE 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe 788 firefox.exe 3004 MicrosoftEdge.exe 5260 MicrosoftEdgeCP.exe 6036 MicrosoftEdgeCP.exe 5260 MicrosoftEdgeCP.exe 5092 0x07.exe 5984 winconfig.exe 1164 DetectKey.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid Process procid_target PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 4400 wrote to memory of 788 4400 firefox.exe 74 PID 788 wrote to memory of 316 788 firefox.exe 75 PID 788 wrote to memory of 316 788 firefox.exe 75 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 2548 788 firefox.exe 76 PID 788 wrote to memory of 4000 788 firefox.exe 77 PID 788 wrote to memory of 4000 788 firefox.exe 77 PID 788 wrote to memory of 4000 788 firefox.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\desktop.ini1⤵
- Opens file in notepad (likely ransom note)
PID:4704
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.0.1582683838\1937311564" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {656c6e30-43d9-4ea1-b98b-37077c3c1205} 788 "\\.\pipe\gecko-crash-server-pipe.788" 1796 1ed551db258 gpu3⤵PID:316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.1.1832258666\2146283892" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26ee5b41-da34-4908-9649-9b80ea68aad3} 788 "\\.\pipe\gecko-crash-server-pipe.788" 2152 1ed4a172e58 socket3⤵PID:2548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.2.1278673315\1162007092" -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 2732 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b5aa6bb-4565-4b69-aad7-4b4f65111389} 788 "\\.\pipe\gecko-crash-server-pipe.788" 2744 1ed55160858 tab3⤵PID:4000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.3.125212754\1179345865" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3096881-233d-47c0-87aa-31c13a477510} 788 "\\.\pipe\gecko-crash-server-pipe.788" 3556 1ed5a2b3258 tab3⤵PID:3512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.4.859889298\1250420559" -childID 3 -isForBrowser -prefsHandle 3216 -prefMapHandle 3680 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c52ff4c-392c-4c22-9e36-435b86285799} 788 "\\.\pipe\gecko-crash-server-pipe.788" 4368 1ed5b1cb558 tab3⤵PID:1892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.5.1572713894\494285457" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4784 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6717005-4781-43fc-ae10-b775707b892b} 788 "\\.\pipe\gecko-crash-server-pipe.788" 4756 1ed4a12ff58 tab3⤵PID:3368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.6.1661076916\1548802050" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9a15819-48da-41b6-9c30-8153543a95b9} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5020 1ed57bfd658 tab3⤵PID:4704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.7.275356741\1613313213" -childID 6 -isForBrowser -prefsHandle 4880 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aacc871-0517-4ce3-9fd0-901127de5fc7} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5208 1ed5b9d9158 tab3⤵PID:3348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.8.3355809\2093530671" -childID 7 -isForBrowser -prefsHandle 5588 -prefMapHandle 5576 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {614c0846-2577-4a00-b4cc-590ac2c0eb59} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5596 1ed57cfa558 tab3⤵PID:2308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.9.1452146512\345079908" -childID 8 -isForBrowser -prefsHandle 5700 -prefMapHandle 5692 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c671ec-107d-4201-91ed-77699199e9e4} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5756 1ed4a164758 tab3⤵PID:1628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.10.1765559355\241650633" -childID 9 -isForBrowser -prefsHandle 5948 -prefMapHandle 5952 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ebfc526-7602-4f27-aefb-096a8956aad0} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5940 1ed5dde7258 tab3⤵PID:5228
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5984 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5808
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6048
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1568
-
C:\Users\Admin\Downloads\Prizm.exe"C:\Users\Admin\Downloads\Prizm.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6104
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ReceiveUninstall.css1⤵
- Opens file in notepad (likely ransom note)
PID:5304
-
C:\Users\Admin\Downloads\Prizm(1).exe"C:\Users\Admin\Downloads\Prizm(1).exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3004
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1384
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5260
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6036
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5708
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4080
-
C:\Users\Admin\Downloads\0x07.exe"C:\Users\Admin\Downloads\0x07.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5092 -
C:\Windows\Temp\winconfig.exe"C:\Windows\Temp\winconfig.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5984 -
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D118.tmp\D119.tmp\D11A.bat C:\Windows\Temp\winconfig.exe"3⤵PID:5364
-
C:\Users\Admin\AppData\Roaming\DetectKey.exe"C:\Users\Admin\AppData\Roaming\DetectKey.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current}4⤵
- Modifies boot configuration data using bcdedit
PID:1064
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5384
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='mmc.exe' delete /nointeractive4⤵PID:1568
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='PartAssist.exe' delete /nointeractive4⤵PID:2532
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='control.exe' delete /nointeractive4⤵PID:1012
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:6124
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager.exe' delete /nointeractive4⤵PID:5472
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager Protable.exe' delete /nointeractive4⤵PID:2136
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='CCleaner.exe' delete /nointeractive4⤵PID:5980
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp.exe' delete /nointeractive4⤵PID:4952
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64.exe' delete /nointeractive4⤵PID:5704
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64a.exe' delete /nointeractive4⤵PID:5436
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:5660
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='regedit.exe' delete /nointeractive4⤵PID:5196
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='iexplore.exe' delete /nointeractive4⤵PID:1676
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='chrome.exe' delete /nointeractive4⤵PID:4836
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='firefox.exe' delete /nointeractive4⤵PID:4528
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='opera.exe' delete /nointeractive4⤵PID:1016
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='edge.exe' delete /nointeractive4⤵PID:4412
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='msedge.exe' delete /nointeractive4⤵PID:3540
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='brave.exe' delete /nointeractive4⤵PID:5548
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='wmplayer.exe' delete /nointeractive4⤵PID:1824
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad.exe' delete /nointeractive4⤵PID:5748
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad++.exe' delete /nointeractive4⤵PID:5224
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:5568
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:5584
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:5392
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:5212
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskmgr.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3520
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\hal.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6112
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\winload.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3020
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\ntoskrnl.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5468
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\perfmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:392
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\resmon.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5388
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5484
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskkill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5440
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tasklist.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4856
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tskill.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:944
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6136
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Process Hacker 2"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4544
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4848
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:4740
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:4916
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:5492
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:2020
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5956
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5704
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\winload.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1560
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5436
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:512
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5660
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5148
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5196
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5608
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5780
-
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6020
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4836
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive4⤵PID:2032
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive4⤵PID:4600
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive4⤵PID:1076
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive4⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:3960
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F4⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:3660
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\hal.dll" /grant "everyone":F4⤵PID:1316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:1820
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F4⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:8
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F4⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:4588
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\logonui.exe" /grant "everyone":F4⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:704
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\resmon.exe" /grant "everyone":F4⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:5908
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F4⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:4896
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F4⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:3708
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tskill.exe" /grant "everyone":F4⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:3832
-
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Process Hacker 2" /grant "everyone":F4⤵PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:372
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\System32\drivers" /grant "everyone":F4⤵PID:2228
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD55c70e4c7473a751dd1c49bf0b8f15552
SHA1449e8e29b512b3377a4d012d42f29cfd6dc43b8c
SHA256606bdc54867bc753f1bb3c16c8262e17e99e34639a9fbd9f5e5e07cacf885fff
SHA5125fdfdf6e0187fa8c259babc8926df771c656f4541fb4809516d3ebcc8b2fb92cd960670cbc8fd6536fd081e041331af6f40064db6fc9bde6de62a393c5340e06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD56c10b7c5a21012aa2f2822b924cbb1c5
SHA1634e221b2a1cb2b101bc9ca8c98f9be4b22c0605
SHA2564599d83871947bbc47bb71859248ad3bb191958ac87c45e049571f269c6e4600
SHA51225b03fd8d8ae55bd28fbbb958e7e8ab173e5cce462a90c3df539d7a7f338d7f8ead2b967210a1dafebb123e76c27eaa606a397e6e07a1d652af8365e786775ab
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D66E7128-DE29-4FA9-B467-90A5456A6C3E
Filesize172KB
MD5fe36aec264befb55c856920bc8e8f752
SHA154226e1a541f60a2841e7596fcc2a7f520706a0d
SHA2564204aec4095db6b249a4668f74ae9e833bb08b3271599f95799d8e75fa32fc2a
SHA512f11cbf6e06ff0630fcce0b5e75479d8ef2bc47b0a2f27fd56e11e5f32313fa3640a435d43d71d6b48b738af6f3fe33b0af742aa82934f66a53f419471fe01c5a
-
Filesize
21KB
MD5539d4727f076e3d5c82d15114cf134fd
SHA12fd824c596ff7823d32e52cf412e872af1c81165
SHA25610ebccfc3815384a012a67bbdcb42f182720a5a761df1484c15d9a08e2a05dc9
SHA512778dc36165a8bf1692454c0b63a39ac6852be0b0f1f907afe0ee43073d7db4a46ef1e2c36eba87aac4fbd23a4bde23ed09db72fa6cdb042045102960a31046b0
-
Filesize
8KB
MD5e9df36c8be82ff90b0f04d5cf95ab9d9
SHA1376fba72412774f39a1aa320c4ab078db7e586ad
SHA2563db53b81021b7c0ef86fb9126a8730dc6bd035ece77218560f9bda3a57091d61
SHA5123369b581a3db84762d52c70037bd356e1edd604859690cb730abaf56c1e0369e710508753e9992fef340189cba7e06f5f4b1b1f610233b19a31996718f0ce178
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres
Filesize2KB
MD567d104a08cc54e5bf225c69b41998e92
SHA17c4007eab0498211956c395b72edb3bb96188555
SHA2566060a102469407ea0376f27957f381bf88d9706249eddb7035c275bfc4660166
SHA51257349cf6df2aca8140a9919893361c6116ea24d399d245fef6b45e05587e72cc3764a348ae8344beaf2cd9fdb46ef532d45b42a7e9d190c75d80e56ffc74a7c3
-
Filesize
5KB
MD50ed5bc16545d23c325d756013579a697
SHA1dcdde3196414a743177131d7d906cb67315d88e7
SHA2563e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af
-
Filesize
14KB
MD59ffa307aeb56ba4cfe2ee4477a3d90b7
SHA1fb34e1a942957f4838f0f941eea90b8b2d4fe696
SHA256ed5ce703a81a883ef24c58d1a95f1ed9a0be0fa3822b1e19a1fd3bc94ff80ed7
SHA5123fec728565078aabd6088ab203afdeb96a4790325fa66d78f504dcb5cb37bd3157b8c2b0d2111ec6268e526f0cb4925739fbbcf2bce27d2448067aaba9a9c9d2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\jumpListCache\1zkKfOxT9z9AEv759z0PVw==.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF88FF31479BA2DC4B.TMP
Filesize16KB
MD552a26ba6af9e987170b8e764d190d2d2
SHA14c2b32a8d9406aacdead01c73dacd772ab37862a
SHA2567d1096bbfd1aae43ce04d12facaf4d83237cd4bc5d4729f07d628f9b4bf6a43c
SHA512fb68749d069a92ca702a502f66b35b2216b045ebe677da0d6926ded6ff6cdbc95f293afc4291e319cbeab2292370eea8d5286ad3f3b72acd44767b05def3fba1
-
Filesize
5KB
MD5a645734f3bf4a2682cbaf546789ec0c4
SHA1fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA2563b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
816KB
MD5e93b96c12ac2e0070063c487ab0b2d6c
SHA1c2965d58b552e00f68198a8f65c5bc0f0c866529
SHA25662a49e88555ce542f6c1b3c4c0efc4ea731a285f74b3f33a17950d6c15c33fea
SHA5125763bc99c49f6556fcc5be1ab52acf3123e4546c9703f8aca51730481a18f5042afacc3b992e0b6a52483178aa11a805349d55ad860d5ed5ebf7e12767b0b643
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
249B
MD574635f6e5554ebd726fdca0c002dbee2
SHA1278e66625144f9d89050b0bedb482a68855b97d4
SHA256483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424
SHA512bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize16KB
MD5488d3668744e2959160ed957bb25386d
SHA15bb88924bcffbff6c0da83fa7d3be8e41c2c8c45
SHA25655f1946ff4ebe473032aeca81133fb0570ef1592a379108f373f37ecfd47ebf4
SHA5123bc257cf643fdf7866b366583f6f58ac055c7118207b1a7067e712b8dee217af755806483407f711495bb83a6bc49883ab0590407008fc3fb3217d697d67ddde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD511bd814907d0d802a786a555445292c5
SHA105633f7a374b44e6cd4ac50f351a369c21172599
SHA256f630444ddaf228eff00c08268251bb9aaf2fa7d409e138d70d6b18515c940320
SHA512937b8141c56d527937a824245af2501945f592f82580d2edfe13642c7b1051c2c780ae32fd1cd3ded1dcaf40d17a9f2a46dffd0949eba2b2b1034b02f870df61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f33b91e1a88d7c71efb7ba9f847fff78
SHA1c6d9ce79ccf95fd47da2111db773b661af973e67
SHA25616a68159a20d43c0e701807681835738d1df5a833db5635ddca3af062ea5fcdd
SHA512c7ff5ea0d3ca51f7e2ad2e35a40a28e46f46ce60d362eb277b546d3dcc7c1b068fde65cc8c670fd26f63b82a747419f70cbf538c98d561b6e6d6adc9ff8fc12b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5ffa50c1bb83d7bb96521dbffe60e3ad0
SHA17c65cf1d9ab7b118cd77c79ca9270b851e09b415
SHA256da5b999c9641dfaa6aae82a2965cc49699359d2a8d015658d3429a59079e7d20
SHA51242bf88e78ba878c9a3c1a1deb4eb6440b2e2190e4043ec14c5ed0687c3947e47826e9fda2d643dd30e650266e8c69824d34407d178cc5afd761b1dbeaa55d584
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\610fa74b-b43c-42f7-920b-bd08f376b6f0
Filesize11KB
MD56d6aea5813dbdada2c820c00ffc498dd
SHA1640d3c5b949ee368b9dbe72d3b6b2b018dd5e8ef
SHA25634692e2a262e74dda85edd6a50446d01a37ba212648452100fb69c2f63243f8d
SHA51265568f57c3ca7f428081f3761826d4d8ba31aeaf4c586273a09921211015d63232ca2d4ce45142f9032039c6756c4cf88df250c90e581bec4379a02dbb026066
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\eb6a3758-845a-4fd8-bac4-4999d5a90b02
Filesize746B
MD5e68c647e3a932104c80c534f4a0011c1
SHA1f2634d20ac875a072f57301540a8082546e1113a
SHA256a6ce5e2343e5eb5887f4448a138d5bee17624f9c8eea62b78b956e987832ff13
SHA512d231d0fd7c383a31fa7dd32ceafd168bf5c800c5bc4b89f52b8dad182f09f481c05c4fd92070064b2f2f7b85e4e32f79368495abdd800ea20d4c5867515a9218
-
Filesize
6KB
MD5973b10914bd902d1322031f08241da12
SHA1fd564544a09a4d327a323f45c2b5e583e247ff3f
SHA2562e7cceb18afdffb4f6cc96d657a0a54bd86de35ba8ef63ad5aad26dba398f34c
SHA512b8f39d46be440899c0075109748f315d8c7367305f77d55661388c7712ae21e90598656ebd4292688a2d80ce6b45957a4485258e26b43957021093fa6627772b
-
Filesize
6KB
MD5196bab32c22be689ccad2161929c0818
SHA1ae5e8a7dee1be5d86567a1d3219abbe1c76930c5
SHA2564788158790d4314ca9ec450d943ce161f22814030903a199351c08e19a2e6722
SHA512766ff39f64a6cecc84b4f1d5f836382fb6f8e1f56d8bbe1be42132cea522b11e7cb30201ff7fa5f0396583fd9ff73aaab12ade6289515635e4f19249e541e345
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD52b1db1a9d26cb303eb41f933802c1871
SHA10dff91a7aaa8b4ab2ef9b480a948610f9e5b4196
SHA256f92f164a0818955fd66d91b6a4a3edac71d72afe68341e92b5d57a59b171c332
SHA5123d97af21025072fbe342cb9d2ad6de1a7b8de67754033b1767b753ed70ada5887e6638f4e8e93c2400269d66fc6746939d3f3d6fa680148a337f565147358011
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD52c65dd5a1a61611643da75c0e2ac385a
SHA10befd99fd482b063ea717fbf1f0c62ea23299faa
SHA256d45dd53f9a6350e119ed08ca4083ffa02b8cfa639897d31f94cd50dc108a69e0
SHA5123f90fce838f806a2c368ddc6aa41f1aee12a02bece08180ac8aa03bf631d86704192d3435facf427a8f4fa8caa417993ba8bbcf59dd873a0f02a1c0d557d61e4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD553a89153c8be2208924b19bad7df309e
SHA153b79bd9386d45cc31799fa0bc72aa7e371bfbe0
SHA256f941e5764f24fa277c64d82d1e8ee751160032eae9d97492c82586c646032ac9
SHA512a2ce3e308fce78aabe3e545fa86579da6dbb28b994d4f27fbc1f6e7bdb32cb1325d9d0588a09cbdb1289e5bfd54e44dbbe0eb6a6ece3b5df03fbb528553df607
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD51e17dc9753fa4a504473ae5953e7f15d
SHA197eb0ccae36f31ce457037320f572925d6cc4acb
SHA2560823c4745a3047705f2b3055f98a757a9393a659440abf3d20658300b82c309d
SHA512796637434f7fd3e39cde4fca5f2f92bcb2533e1b894226f9e329dbfe43f52a6f2251578f93dbd771102f3aa33c9adcc41d203ac83f760f73b1a5dd797c27b8f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5677a39c5351423eb27bc27e90f4d535f
SHA1236d9ad35b3cd52a1c56d805e3293dab56b30b88
SHA2567f440ea98264e6edadec905a01d239e0c23b20ab8882cb41ce72cf71ca9c629a
SHA512c012075373ae26ad5b431dd46ae064a7bde4eb5c396308cd8c4ad57c5345e05a867016d3fb2b2a7afa862f205fe359fe0d45d0a0fc503469f2dcca5c0412d557
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5fc73d8a3b15e09bcac6ef4cba1073efb
SHA117e7ba4d1525bd9c688d9aee2011abd5dde0e6ff
SHA2562e01349e945c1b150f35bfd9ca39ead5bb99ed0fe7cc2c0a8998de34ee359be3
SHA512cc77841eb0c5f69a4a7d6c78b7dab9a80fbcc90322709a92b33e0236f269200bc57ea728e99b3b3d91c7a9c8c1d63c187081c08b8ff712945b21ce2a7c415642
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD54f1e1cbfda531c47b486d960cd660048
SHA137be07ce036eac95a61da6a4f53ecc8cb562529f
SHA256d837dac8b1c2f4d5334dcb0a18356a925ff7d6a489bc53a09d55607ee1a16ce2
SHA512000ba2587c1553876ce4d540c549bad5ffdd2f213d0d18c4aa19719043464004d514c57324cbd3bc198a737d53dfe4b2c24cdca2e793561b8038e097a4e7443f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD54d3472b83795cc6fcb37aa1640555267
SHA186e4ed39529a0865c704cc191d792e7199afe997
SHA256ee21566371413e39c1fc91a04ec5fc3f631ea4dea5e09dbeff82c158fdc99c36
SHA5121e1c7f3c9426b3e4cbc1335ea0f6ffe4b5be118ff7c4821fbf670b52996ee39953b999508144275585c817a685b47f46e688e0f5cf5e7a4654b196b58ee3a39d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD57f868e557b098795d645df9ea302427f
SHA1001f3306144559b4049a8ab139b4139f51e59c0e
SHA256b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5
SHA51256fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a
-
Filesize
247KB
MD5733eb0ab951ae42a8d8cca413201e428
SHA1640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
SHA25652d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
SHA512c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
-
Filesize
8KB
MD5feef71c9299c0b6f7313074260fae590
SHA1846b600d779edc8cafdb91ebca5b01f6faa4b97c
SHA25696d2eaff43d5807ee8c55e6ac9a8d32855198dc3bf83327766e53e4e7a88ff53
SHA51232a9f3d318f22fab3efcc3a6eb2a90b0ae33e4601ac563426b0b30b7d101c899585469781b90b75b3b521bc7d7ccb8fdc3b8e3508a60db3348beb53cc8575ccb
-
Filesize
221KB
MD528e855032f83adbd2d8499af6d2d0e22
SHA16b590325e2e465d9762fa5d1877846667268558a
SHA256b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b