Malware Analysis Report

2024-12-07 14:55

Sample ID 241004-3avkfasanm
Target desktop.ini
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
Tags
bootkit defense_evasion discovery exploit macro macro_on_action persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

Threat Level: Likely malicious

The file desktop.ini was found to be: Likely malicious.

Malicious Activity Summary

bootkit defense_evasion discovery exploit macro macro_on_action persistence

Downloads MZ/PE file

Possible privilege escalation attempt

Office macro that triggers on suspicious action

Executes dropped EXE

Modifies file permissions

Modifies boot configuration data using bcdedit

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in Windows directory

Subvert Trust Controls: Mark-of-the-Web Bypass

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies registry class

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-04 23:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-04 23:19

Reported

2024-10-04 23:24

Platform

win10-20240404-en

Max time kernel

316s

Max time network

317s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\desktop.ini

Signatures

Downloads MZ/PE file

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Downloads\0x07.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{3B0FFBFD-2397-4E92-A9A8-376745DE7AA9}\8tr.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Users\Admin\Downloads\Prizm.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Prizm(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\0x07.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Prizm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Prizm(1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\0x07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\winconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\DetectKey.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7f440480b416db01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a4ba1a80b416db01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1592df83b416db01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a5e2cd83b416db01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 575af77fb416db01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Prizm(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\0x07.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{3B0FFBFD-2397-4E92-A9A8-376745DE7AA9}\8tr.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Users\Admin\Downloads\Prizm.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\0x07.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Users\Admin\Downloads\0x07.exe N/A
N/A N/A C:\Windows\Temp\winconfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DetectKey.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\desktop.ini

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.0.1582683838\1937311564" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {656c6e30-43d9-4ea1-b98b-37077c3c1205} 788 "\\.\pipe\gecko-crash-server-pipe.788" 1796 1ed551db258 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.1.1832258666\2146283892" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26ee5b41-da34-4908-9649-9b80ea68aad3} 788 "\\.\pipe\gecko-crash-server-pipe.788" 2152 1ed4a172e58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.2.1278673315\1162007092" -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 2732 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b5aa6bb-4565-4b69-aad7-4b4f65111389} 788 "\\.\pipe\gecko-crash-server-pipe.788" 2744 1ed55160858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.3.125212754\1179345865" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3096881-233d-47c0-87aa-31c13a477510} 788 "\\.\pipe\gecko-crash-server-pipe.788" 3556 1ed5a2b3258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.4.859889298\1250420559" -childID 3 -isForBrowser -prefsHandle 3216 -prefMapHandle 3680 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c52ff4c-392c-4c22-9e36-435b86285799} 788 "\\.\pipe\gecko-crash-server-pipe.788" 4368 1ed5b1cb558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.5.1572713894\494285457" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4784 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6717005-4781-43fc-ae10-b775707b892b} 788 "\\.\pipe\gecko-crash-server-pipe.788" 4756 1ed4a12ff58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.6.1661076916\1548802050" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9a15819-48da-41b6-9c30-8153543a95b9} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5020 1ed57bfd658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.7.275356741\1613313213" -childID 6 -isForBrowser -prefsHandle 4880 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aacc871-0517-4ce3-9fd0-901127de5fc7} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5208 1ed5b9d9158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.8.3355809\2093530671" -childID 7 -isForBrowser -prefsHandle 5588 -prefMapHandle 5576 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {614c0846-2577-4a00-b4cc-590ac2c0eb59} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5596 1ed57cfa558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.9.1452146512\345079908" -childID 8 -isForBrowser -prefsHandle 5700 -prefMapHandle 5692 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c671ec-107d-4201-91ed-77699199e9e4} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5756 1ed4a164758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.10.1765559355\241650633" -childID 9 -isForBrowser -prefsHandle 5948 -prefMapHandle 5952 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ebfc526-7602-4f27-aefb-096a8956aad0} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5940 1ed5dde7258 tab

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Prizm.exe

"C:\Users\Admin\Downloads\Prizm.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ReceiveUninstall.css

C:\Users\Admin\Downloads\Prizm(1).exe

"C:\Users\Admin\Downloads\Prizm(1).exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\Downloads\0x07.exe

"C:\Users\Admin\Downloads\0x07.exe"

C:\Windows\Temp\winconfig.exe

"C:\Windows\Temp\winconfig.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D118.tmp\D119.tmp\D11A.bat C:\Windows\Temp\winconfig.exe"

C:\Users\Admin\AppData\Roaming\DetectKey.exe

"C:\Users\Admin\AppData\Roaming\DetectKey.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /delete {current}

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='mmc.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='PartAssist.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='control.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='Security Task Manager.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='Security Task Manager Protable.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='CCleaner.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='procexp.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='procexp64.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='procexp64a.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='regedit.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='iexplore.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='chrome.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='firefox.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='opera.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='edge.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='msedge.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='brave.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='wmplayer.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='notepad.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='notepad++.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\taskmgr.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\hal.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\winload.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\ntoskrnl.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\perfmon.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\resmon.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\logonui.exe

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\taskkill.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\tasklist.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\tskill.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\logonui.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\Process Hacker 2"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\drivers"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\hal.dll" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\winload.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\logonui.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\resmon.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\tskill.exe" /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='taskmgr.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='perfmon.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='logonui.exe' delete /nointeractive

C:\Windows\System32\Wbem\WMIC.exe

wmic process where name='ProcessHacker.exe' delete /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\hal.dll" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\logonui.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\resmon.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\system32\tskill.exe" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Program Files\Process Hacker 2" /grant "everyone":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cacls.exe

cacls "C:\Windows\System32\drivers" /grant "everyone":F

Network

Country Destination Domain Proto
N/A 127.0.0.1:49766 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
N/A 127.0.0.1:49773 tcp
US 8.8.8.8:53 236.187.70.54.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 142.250.200.49:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 142.250.200.49:443 csp.withgoogle.com udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 49.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.179.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.179.238:443 consent.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.57:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 57.63.18.2.in-addr.arpa udp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 150.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\eb6a3758-845a-4fd8-bac4-4999d5a90b02

MD5 e68c647e3a932104c80c534f4a0011c1
SHA1 f2634d20ac875a072f57301540a8082546e1113a
SHA256 a6ce5e2343e5eb5887f4448a138d5bee17624f9c8eea62b78b956e987832ff13
SHA512 d231d0fd7c383a31fa7dd32ceafd168bf5c800c5bc4b89f52b8dad182f09f481c05c4fd92070064b2f2f7b85e4e32f79368495abdd800ea20d4c5867515a9218

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\610fa74b-b43c-42f7-920b-bd08f376b6f0

MD5 6d6aea5813dbdada2c820c00ffc498dd
SHA1 640d3c5b949ee368b9dbe72d3b6b2b018dd5e8ef
SHA256 34692e2a262e74dda85edd6a50446d01a37ba212648452100fb69c2f63243f8d
SHA512 65568f57c3ca7f428081f3761826d4d8ba31aeaf4c586273a09921211015d63232ca2d4ce45142f9032039c6756c4cf88df250c90e581bec4379a02dbb026066

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 ffa50c1bb83d7bb96521dbffe60e3ad0
SHA1 7c65cf1d9ab7b118cd77c79ca9270b851e09b415
SHA256 da5b999c9641dfaa6aae82a2965cc49699359d2a8d015658d3429a59079e7d20
SHA512 42bf88e78ba878c9a3c1a1deb4eb6440b2e2190e4043ec14c5ed0687c3947e47826e9fda2d643dd30e650266e8c69824d34407d178cc5afd761b1dbeaa55d584

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7f868e557b098795d645df9ea302427f
SHA1 001f3306144559b4049a8ab139b4139f51e59c0e
SHA256 b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5
SHA512 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 196bab32c22be689ccad2161929c0818
SHA1 ae5e8a7dee1be5d86567a1d3219abbe1c76930c5
SHA256 4788158790d4314ca9ec450d943ce161f22814030903a199351c08e19a2e6722
SHA512 766ff39f64a6cecc84b4f1d5f836382fb6f8e1f56d8bbe1be42132cea522b11e7cb30201ff7fa5f0396583fd9ff73aaab12ade6289515635e4f19249e541e345

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1e17dc9753fa4a504473ae5953e7f15d
SHA1 97eb0ccae36f31ce457037320f572925d6cc4acb
SHA256 0823c4745a3047705f2b3055f98a757a9393a659440abf3d20658300b82c309d
SHA512 796637434f7fd3e39cde4fca5f2f92bcb2533e1b894226f9e329dbfe43f52a6f2251578f93dbd771102f3aa33c9adcc41d203ac83f760f73b1a5dd797c27b8f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 973b10914bd902d1322031f08241da12
SHA1 fd564544a09a4d327a323f45c2b5e583e247ff3f
SHA256 2e7cceb18afdffb4f6cc96d657a0a54bd86de35ba8ef63ad5aad26dba398f34c
SHA512 b8f39d46be440899c0075109748f315d8c7367305f77d55661388c7712ae21e90598656ebd4292688a2d80ce6b45957a4485258e26b43957021093fa6627772b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4f1e1cbfda531c47b486d960cd660048
SHA1 37be07ce036eac95a61da6a4f53ecc8cb562529f
SHA256 d837dac8b1c2f4d5334dcb0a18356a925ff7d6a489bc53a09d55607ee1a16ce2
SHA512 000ba2587c1553876ce4d540c549bad5ffdd2f213d0d18c4aa19719043464004d514c57324cbd3bc198a737d53dfe4b2c24cdca2e793561b8038e097a4e7443f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 677a39c5351423eb27bc27e90f4d535f
SHA1 236d9ad35b3cd52a1c56d805e3293dab56b30b88
SHA256 7f440ea98264e6edadec905a01d239e0c23b20ab8882cb41ce72cf71ca9c629a
SHA512 c012075373ae26ad5b431dd46ae064a7bde4eb5c396308cd8c4ad57c5345e05a867016d3fb2b2a7afa862f205fe359fe0d45d0a0fc503469f2dcca5c0412d557

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4d3472b83795cc6fcb37aa1640555267
SHA1 86e4ed39529a0865c704cc191d792e7199afe997
SHA256 ee21566371413e39c1fc91a04ec5fc3f631ea4dea5e09dbeff82c158fdc99c36
SHA512 1e1c7f3c9426b3e4cbc1335ea0f6ffe4b5be118ff7c4821fbf670b52996ee39953b999508144275585c817a685b47f46e688e0f5cf5e7a4654b196b58ee3a39d

C:\Users\Admin\Downloads\aP3JFXVE.doc.part

MD5 28e855032f83adbd2d8499af6d2d0e22
SHA1 6b590325e2e465d9762fa5d1877846667268558a
SHA256 b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512 e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

memory/5984-456-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

memory/5984-458-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

memory/5984-460-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-459-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-461-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-463-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-462-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-457-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

memory/5984-464-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-465-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-455-0x00007FFB302C5000-0x00007FFB302C6000-memory.dmp

memory/5984-470-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-473-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-472-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-474-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-477-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-476-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-480-0x00007FFAEC7A0000-0x00007FFAEC7B0000-memory.dmp

memory/5984-486-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-487-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-488-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-485-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-479-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-478-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-475-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-471-0x00007FFAEC7A0000-0x00007FFAEC7B0000-memory.dmp

memory/5984-469-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-468-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-454-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 74635f6e5554ebd726fdca0c002dbee2
SHA1 278e66625144f9d89050b0bedb482a68855b97d4
SHA256 483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424
SHA512 bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fc73d8a3b15e09bcac6ef4cba1073efb
SHA1 17e7ba4d1525bd9c688d9aee2011abd5dde0e6ff
SHA256 2e01349e945c1b150f35bfd9ca39ead5bb99ed0fe7cc2c0a8998de34ee359be3
SHA512 cc77841eb0c5f69a4a7d6c78b7dab9a80fbcc90322709a92b33e0236f269200bc57ea728e99b3b3d91c7a9c8c1d63c187081c08b8ff712945b21ce2a7c415642

C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

MD5 e93b96c12ac2e0070063c487ab0b2d6c
SHA1 c2965d58b552e00f68198a8f65c5bc0f0c866529
SHA256 62a49e88555ce542f6c1b3c4c0efc4ea731a285f74b3f33a17950d6c15c33fea
SHA512 5763bc99c49f6556fcc5be1ab52acf3123e4546c9703f8aca51730481a18f5042afacc3b992e0b6a52483178aa11a805349d55ad860d5ed5ebf7e12767b0b643

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C5CDAABC.emf

MD5 0ed5bc16545d23c325d756013579a697
SHA1 dcdde3196414a743177131d7d906cb67315d88e7
SHA256 3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512 c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

memory/5984-761-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D66E7128-DE29-4FA9-B467-90A5456A6C3E

MD5 fe36aec264befb55c856920bc8e8f752
SHA1 54226e1a541f60a2841e7596fcc2a7f520706a0d
SHA256 4204aec4095db6b249a4668f74ae9e833bb08b3271599f95799d8e75fa32fc2a
SHA512 f11cbf6e06ff0630fcce0b5e75479d8ef2bc47b0a2f27fd56e11e5f32313fa3640a435d43d71d6b48b738af6f3fe33b0af742aa82934f66a53f419471fe01c5a

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres

MD5 67d104a08cc54e5bf225c69b41998e92
SHA1 7c4007eab0498211956c395b72edb3bb96188555
SHA256 6060a102469407ea0376f27957f381bf88d9706249eddb7035c275bfc4660166
SHA512 57349cf6df2aca8140a9919893361c6116ea24d399d245fef6b45e05587e72cc3764a348ae8344beaf2cd9fdb46ef532d45b42a7e9d190c75d80e56ffc74a7c3

memory/5984-784-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

memory/5984-783-0x00007FFB302C5000-0x00007FFB302C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 11bd814907d0d802a786a555445292c5
SHA1 05633f7a374b44e6cd4ac50f351a369c21172599
SHA256 f630444ddaf228eff00c08268251bb9aaf2fa7d409e138d70d6b18515c940320
SHA512 937b8141c56d527937a824245af2501945f592f82580d2edfe13642c7b1051c2c780ae32fd1cd3ded1dcaf40d17a9f2a46dffd0949eba2b2b1034b02f870df61

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f33b91e1a88d7c71efb7ba9f847fff78
SHA1 c6d9ce79ccf95fd47da2111db773b661af973e67
SHA256 16a68159a20d43c0e701807681835738d1df5a833db5635ddca3af062ea5fcdd
SHA512 c7ff5ea0d3ca51f7e2ad2e35a40a28e46f46ce60d362eb277b546d3dcc7c1b068fde65cc8c670fd26f63b82a747419f70cbf538c98d561b6e6d6adc9ff8fc12b

memory/5984-809-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 e9df36c8be82ff90b0f04d5cf95ab9d9
SHA1 376fba72412774f39a1aa320c4ab078db7e586ad
SHA256 3db53b81021b7c0ef86fb9126a8730dc6bd035ece77218560f9bda3a57091d61
SHA512 3369b581a3db84762d52c70037bd356e1edd604859690cb730abaf56c1e0369e710508753e9992fef340189cba7e06f5f4b1b1f610233b19a31996718f0ce178

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 539d4727f076e3d5c82d15114cf134fd
SHA1 2fd824c596ff7823d32e52cf412e872af1c81165
SHA256 10ebccfc3815384a012a67bbdcb42f182720a5a761df1484c15d9a08e2a05dc9
SHA512 778dc36165a8bf1692454c0b63a39ac6852be0b0f1f907afe0ee43073d7db4a46ef1e2c36eba87aac4fbd23a4bde23ed09db72fa6cdb042045102960a31046b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 5c70e4c7473a751dd1c49bf0b8f15552
SHA1 449e8e29b512b3377a4d012d42f29cfd6dc43b8c
SHA256 606bdc54867bc753f1bb3c16c8262e17e99e34639a9fbd9f5e5e07cacf885fff
SHA512 5fdfdf6e0187fa8c259babc8926df771c656f4541fb4809516d3ebcc8b2fb92cd960670cbc8fd6536fd081e041331af6f40064db6fc9bde6de62a393c5340e06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 6c10b7c5a21012aa2f2822b924cbb1c5
SHA1 634e221b2a1cb2b101bc9ca8c98f9be4b22c0605
SHA256 4599d83871947bbc47bb71859248ad3bb191958ac87c45e049571f269c6e4600
SHA512 25b03fd8d8ae55bd28fbbb958e7e8ab173e5cce462a90c3df539d7a7f338d7f8ead2b967210a1dafebb123e76c27eaa606a397e6e07a1d652af8365e786775ab

memory/6048-906-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

memory/6048-907-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

memory/6048-905-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

memory/6048-904-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD5F1.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

memory/5984-1490-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

C:\Users\Admin\Downloads\Prizm.exe

MD5 feef71c9299c0b6f7313074260fae590
SHA1 846b600d779edc8cafdb91ebca5b01f6faa4b97c
SHA256 96d2eaff43d5807ee8c55e6ac9a8d32855198dc3bf83327766e53e4e7a88ff53
SHA512 32a9f3d318f22fab3efcc3a6eb2a90b0ae33e4601ac563426b0b30b7d101c899585469781b90b75b3b521bc7d7ccb8fdc3b8e3508a60db3348beb53cc8575ccb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2b1db1a9d26cb303eb41f933802c1871
SHA1 0dff91a7aaa8b4ab2ef9b480a948610f9e5b4196
SHA256 f92f164a0818955fd66d91b6a4a3edac71d72afe68341e92b5d57a59b171c332
SHA512 3d97af21025072fbe342cb9d2ad6de1a7b8de67754033b1767b753ed70ada5887e6638f4e8e93c2400269d66fc6746939d3f3d6fa680148a337f565147358011

memory/6104-1564-0x0000000000400000-0x0000000000407000-memory.dmp

memory/6104-1567-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\217

MD5 9ffa307aeb56ba4cfe2ee4477a3d90b7
SHA1 fb34e1a942957f4838f0f941eea90b8b2d4fe696
SHA256 ed5ce703a81a883ef24c58d1a95f1ed9a0be0fa3822b1e19a1fd3bc94ff80ed7
SHA512 3fec728565078aabd6088ab203afdeb96a4790325fa66d78f504dcb5cb37bd3157b8c2b0d2111ec6268e526f0cb4925739fbbcf2bce27d2448067aaba9a9c9d2

C:\Users\Admin\Downloads\0x07.exe

MD5 733eb0ab951ae42a8d8cca413201e428
SHA1 640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
SHA256 52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
SHA512 c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2c65dd5a1a61611643da75c0e2ac385a
SHA1 0befd99fd482b063ea717fbf1f0c62ea23299faa
SHA256 d45dd53f9a6350e119ed08ca4083ffa02b8cfa639897d31f94cd50dc108a69e0
SHA512 3f90fce838f806a2c368ddc6aa41f1aee12a02bece08180ac8aa03bf631d86704192d3435facf427a8f4fa8caa417993ba8bbcf59dd873a0f02a1c0d557d61e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 53a89153c8be2208924b19bad7df309e
SHA1 53b79bd9386d45cc31799fa0bc72aa7e371bfbe0
SHA256 f941e5764f24fa277c64d82d1e8ee751160032eae9d97492c82586c646032ac9
SHA512 a2ce3e308fce78aabe3e545fa86579da6dbb28b994d4f27fbc1f6e7bdb32cb1325d9d0588a09cbdb1289e5bfd54e44dbbe0eb6a6ece3b5df03fbb528553df607

memory/2412-1626-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 488d3668744e2959160ed957bb25386d
SHA1 5bb88924bcffbff6c0da83fa7d3be8e41c2c8c45
SHA256 55f1946ff4ebe473032aeca81133fb0570ef1592a379108f373f37ecfd47ebf4
SHA512 3bc257cf643fdf7866b366583f6f58ac055c7118207b1a7067e712b8dee217af755806483407f711495bb83a6bc49883ab0590407008fc3fb3217d697d67ddde

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\jumpListCache\1zkKfOxT9z9AEv759z0PVw==.ico

MD5 6b120367fa9e50d6f91f30601ee58bb3
SHA1 9a32726e2496f78ef54f91954836b31b9a0faa50
SHA256 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512 c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

memory/3004-1656-0x000002424F720000-0x000002424F730000-memory.dmp

memory/3004-1640-0x000002424F620000-0x000002424F630000-memory.dmp

memory/3004-1675-0x000002424E7E0000-0x000002424E7E2000-memory.dmp

memory/6036-1683-0x0000014E69A00000-0x0000014E69B00000-memory.dmp

memory/5708-1690-0x000001DC4F100000-0x000001DC4F200000-memory.dmp

memory/5708-1696-0x000001DC60600000-0x000001DC60700000-memory.dmp

memory/5708-1715-0x000001DC60D00000-0x000001DC60E00000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF88FF31479BA2DC4B.TMP

MD5 52a26ba6af9e987170b8e764d190d2d2
SHA1 4c2b32a8d9406aacdead01c73dacd772ab37862a
SHA256 7d1096bbfd1aae43ce04d12facaf4d83237cd4bc5d4729f07d628f9b4bf6a43c
SHA512 fb68749d069a92ca702a502f66b35b2216b045ebe677da0d6926ded6ff6cdbc95f293afc4291e319cbeab2292370eea8d5286ad3f3b72acd44767b05def3fba1

C:\Windows\Temp\winconfig.exe

MD5 11d457ee914f72a436fa4a8a8f8446dd
SHA1 d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256 c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA512 4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b

C:\Users\Admin\AppData\Local\Temp\D118.tmp\D119.tmp\D11A.bat

MD5 a645734f3bf4a2682cbaf546789ec0c4
SHA1 fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA256 3b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512 efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d

C:\Users\Admin\AppData\Roaming\DetectKey.exe

MD5 aba9a3cf4e1db4602c25405987b809a6
SHA1 6cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256 490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512 e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675