Analysis Overview
SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
Threat Level: Likely malicious
The file desktop.ini was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Possible privilege escalation attempt
Office macro that triggers on suspicious action
Executes dropped EXE
Modifies file permissions
Modifies boot configuration data using bcdedit
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Windows directory
Subvert Trust Controls: Mark-of-the-Web Bypass
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-04 23:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-04 23:19
Reported
2024-10-04 23:24
Platform
win10-20240404-en
Max time kernel
316s
Max time network
317s
Command Line
Signatures
Downloads MZ/PE file
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Possible privilege escalation attempt
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Prizm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Prizm(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\0x07.exe | N/A |
| N/A | N/A | C:\Windows\Temp\winconfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DetectKey.exe | N/A |
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Downloads\0x07.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{3B0FFBFD-2397-4E92-A9A8-376745DE7AA9}\8tr.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File created | C:\Users\Admin\Downloads\Prizm.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\Prizm(1).exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\0x07.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Prizm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Prizm(1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\0x07.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\winconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DetectKey.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7f440480b416db01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a4ba1a80b416db01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1592df83b416db01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a5e2cd83b416db01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 575af77fb416db01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Prizm(1).exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\0x07.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{3B0FFBFD-2397-4E92-A9A8-376745DE7AA9}\8tr.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File created | C:\Users\Admin\Downloads\Prizm.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\0x07.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\desktop.ini
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.0.1582683838\1937311564" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {656c6e30-43d9-4ea1-b98b-37077c3c1205} 788 "\\.\pipe\gecko-crash-server-pipe.788" 1796 1ed551db258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.1.1832258666\2146283892" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26ee5b41-da34-4908-9649-9b80ea68aad3} 788 "\\.\pipe\gecko-crash-server-pipe.788" 2152 1ed4a172e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.2.1278673315\1162007092" -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 2732 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b5aa6bb-4565-4b69-aad7-4b4f65111389} 788 "\\.\pipe\gecko-crash-server-pipe.788" 2744 1ed55160858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.3.125212754\1179345865" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3096881-233d-47c0-87aa-31c13a477510} 788 "\\.\pipe\gecko-crash-server-pipe.788" 3556 1ed5a2b3258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.4.859889298\1250420559" -childID 3 -isForBrowser -prefsHandle 3216 -prefMapHandle 3680 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c52ff4c-392c-4c22-9e36-435b86285799} 788 "\\.\pipe\gecko-crash-server-pipe.788" 4368 1ed5b1cb558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.5.1572713894\494285457" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4784 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6717005-4781-43fc-ae10-b775707b892b} 788 "\\.\pipe\gecko-crash-server-pipe.788" 4756 1ed4a12ff58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.6.1661076916\1548802050" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9a15819-48da-41b6-9c30-8153543a95b9} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5020 1ed57bfd658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.7.275356741\1613313213" -childID 6 -isForBrowser -prefsHandle 4880 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aacc871-0517-4ce3-9fd0-901127de5fc7} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5208 1ed5b9d9158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.8.3355809\2093530671" -childID 7 -isForBrowser -prefsHandle 5588 -prefMapHandle 5576 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {614c0846-2577-4a00-b4cc-590ac2c0eb59} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5596 1ed57cfa558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.9.1452146512\345079908" -childID 8 -isForBrowser -prefsHandle 5700 -prefMapHandle 5692 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c671ec-107d-4201-91ed-77699199e9e4} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5756 1ed4a164758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.10.1765559355\241650633" -childID 9 -isForBrowser -prefsHandle 5948 -prefMapHandle 5952 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ebfc526-7602-4f27-aefb-096a8956aad0} 788 "\\.\pipe\gecko-crash-server-pipe.788" 5940 1ed5dde7258 tab
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Prizm.exe
"C:\Users\Admin\Downloads\Prizm.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ReceiveUninstall.css
C:\Users\Admin\Downloads\Prizm(1).exe
"C:\Users\Admin\Downloads\Prizm(1).exe"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Users\Admin\Downloads\0x07.exe
"C:\Users\Admin\Downloads\0x07.exe"
C:\Windows\Temp\winconfig.exe
"C:\Windows\Temp\winconfig.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D118.tmp\D119.tmp\D11A.bat C:\Windows\Temp\winconfig.exe"
C:\Users\Admin\AppData\Roaming\DetectKey.exe
"C:\Users\Admin\AppData\Roaming\DetectKey.exe"
C:\Windows\system32\bcdedit.exe
bcdedit /delete {current}
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='mmc.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='PartAssist.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='control.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='Security Task Manager.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='Security Task Manager Protable.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='CCleaner.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='procexp.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='procexp64.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='procexp64a.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='regedit.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='iexplore.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='chrome.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='firefox.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='opera.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='edge.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='msedge.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='brave.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='wmplayer.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='notepad.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='notepad++.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\taskmgr.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\hal.dll"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\winload.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\ntoskrnl.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\perfmon.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\resmon.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\logonui.exe
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\taskkill.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\tasklist.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\tskill.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\logonui.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Process Hacker 2"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\hal.dll" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\winload.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='perfmon.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='ProcessHacker.exe' delete /nointeractive
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\hal.dll" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\logonui.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\resmon.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\system32\tskill.exe" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Program Files\Process Hacker 2" /grant "everyone":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\system32\cacls.exe
cacls "C:\Windows\System32\drivers" /grant "everyone":F
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49766 | tcp | |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:49773 | tcp | |
| US | 8.8.8.8:53 | 236.187.70.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 68.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| GB | 142.250.200.49:443 | csp.withgoogle.com | tcp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| GB | 142.250.200.49:443 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | 2.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.179.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.179.238:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 21.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.18.63.57:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 57.63.18.2.in-addr.arpa | udp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.150:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 150.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\eb6a3758-845a-4fd8-bac4-4999d5a90b02
| MD5 | e68c647e3a932104c80c534f4a0011c1 |
| SHA1 | f2634d20ac875a072f57301540a8082546e1113a |
| SHA256 | a6ce5e2343e5eb5887f4448a138d5bee17624f9c8eea62b78b956e987832ff13 |
| SHA512 | d231d0fd7c383a31fa7dd32ceafd168bf5c800c5bc4b89f52b8dad182f09f481c05c4fd92070064b2f2f7b85e4e32f79368495abdd800ea20d4c5867515a9218 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\610fa74b-b43c-42f7-920b-bd08f376b6f0
| MD5 | 6d6aea5813dbdada2c820c00ffc498dd |
| SHA1 | 640d3c5b949ee368b9dbe72d3b6b2b018dd5e8ef |
| SHA256 | 34692e2a262e74dda85edd6a50446d01a37ba212648452100fb69c2f63243f8d |
| SHA512 | 65568f57c3ca7f428081f3761826d4d8ba31aeaf4c586273a09921211015d63232ca2d4ce45142f9032039c6756c4cf88df250c90e581bec4379a02dbb026066 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
| MD5 | ffa50c1bb83d7bb96521dbffe60e3ad0 |
| SHA1 | 7c65cf1d9ab7b118cd77c79ca9270b851e09b415 |
| SHA256 | da5b999c9641dfaa6aae82a2965cc49699359d2a8d015658d3429a59079e7d20 |
| SHA512 | 42bf88e78ba878c9a3c1a1deb4eb6440b2e2190e4043ec14c5ed0687c3947e47826e9fda2d643dd30e650266e8c69824d34407d178cc5afd761b1dbeaa55d584 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 7f868e557b098795d645df9ea302427f |
| SHA1 | 001f3306144559b4049a8ab139b4139f51e59c0e |
| SHA256 | b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5 |
| SHA512 | 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 196bab32c22be689ccad2161929c0818 |
| SHA1 | ae5e8a7dee1be5d86567a1d3219abbe1c76930c5 |
| SHA256 | 4788158790d4314ca9ec450d943ce161f22814030903a199351c08e19a2e6722 |
| SHA512 | 766ff39f64a6cecc84b4f1d5f836382fb6f8e1f56d8bbe1be42132cea522b11e7cb30201ff7fa5f0396583fd9ff73aaab12ade6289515635e4f19249e541e345 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1e17dc9753fa4a504473ae5953e7f15d |
| SHA1 | 97eb0ccae36f31ce457037320f572925d6cc4acb |
| SHA256 | 0823c4745a3047705f2b3055f98a757a9393a659440abf3d20658300b82c309d |
| SHA512 | 796637434f7fd3e39cde4fca5f2f92bcb2533e1b894226f9e329dbfe43f52a6f2251578f93dbd771102f3aa33c9adcc41d203ac83f760f73b1a5dd797c27b8f8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 973b10914bd902d1322031f08241da12 |
| SHA1 | fd564544a09a4d327a323f45c2b5e583e247ff3f |
| SHA256 | 2e7cceb18afdffb4f6cc96d657a0a54bd86de35ba8ef63ad5aad26dba398f34c |
| SHA512 | b8f39d46be440899c0075109748f315d8c7367305f77d55661388c7712ae21e90598656ebd4292688a2d80ce6b45957a4485258e26b43957021093fa6627772b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 4f1e1cbfda531c47b486d960cd660048 |
| SHA1 | 37be07ce036eac95a61da6a4f53ecc8cb562529f |
| SHA256 | d837dac8b1c2f4d5334dcb0a18356a925ff7d6a489bc53a09d55607ee1a16ce2 |
| SHA512 | 000ba2587c1553876ce4d540c549bad5ffdd2f213d0d18c4aa19719043464004d514c57324cbd3bc198a737d53dfe4b2c24cdca2e793561b8038e097a4e7443f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 677a39c5351423eb27bc27e90f4d535f |
| SHA1 | 236d9ad35b3cd52a1c56d805e3293dab56b30b88 |
| SHA256 | 7f440ea98264e6edadec905a01d239e0c23b20ab8882cb41ce72cf71ca9c629a |
| SHA512 | c012075373ae26ad5b431dd46ae064a7bde4eb5c396308cd8c4ad57c5345e05a867016d3fb2b2a7afa862f205fe359fe0d45d0a0fc503469f2dcca5c0412d557 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 4d3472b83795cc6fcb37aa1640555267 |
| SHA1 | 86e4ed39529a0865c704cc191d792e7199afe997 |
| SHA256 | ee21566371413e39c1fc91a04ec5fc3f631ea4dea5e09dbeff82c158fdc99c36 |
| SHA512 | 1e1c7f3c9426b3e4cbc1335ea0f6ffe4b5be118ff7c4821fbf670b52996ee39953b999508144275585c817a685b47f46e688e0f5cf5e7a4654b196b58ee3a39d |
C:\Users\Admin\Downloads\aP3JFXVE.doc.part
| MD5 | 28e855032f83adbd2d8499af6d2d0e22 |
| SHA1 | 6b590325e2e465d9762fa5d1877846667268558a |
| SHA256 | b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e |
| SHA512 | e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34 |
memory/5984-456-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
memory/5984-458-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
memory/5984-460-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-459-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-461-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-463-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-462-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-457-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
memory/5984-464-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-465-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-455-0x00007FFB302C5000-0x00007FFB302C6000-memory.dmp
memory/5984-470-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-473-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-472-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-474-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-477-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-476-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-480-0x00007FFAEC7A0000-0x00007FFAEC7B0000-memory.dmp
memory/5984-486-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-487-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-488-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-485-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-479-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-478-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-475-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-471-0x00007FFAEC7A0000-0x00007FFAEC7B0000-memory.dmp
memory/5984-469-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-468-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-454-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 74635f6e5554ebd726fdca0c002dbee2 |
| SHA1 | 278e66625144f9d89050b0bedb482a68855b97d4 |
| SHA256 | 483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424 |
| SHA512 | bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | fc73d8a3b15e09bcac6ef4cba1073efb |
| SHA1 | 17e7ba4d1525bd9c688d9aee2011abd5dde0e6ff |
| SHA256 | 2e01349e945c1b150f35bfd9ca39ead5bb99ed0fe7cc2c0a8998de34ee359be3 |
| SHA512 | cc77841eb0c5f69a4a7d6c78b7dab9a80fbcc90322709a92b33e0236f269200bc57ea728e99b3b3d91c7a9c8c1d63c187081c08b8ff712945b21ce2a7c415642 |
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf
| MD5 | e93b96c12ac2e0070063c487ab0b2d6c |
| SHA1 | c2965d58b552e00f68198a8f65c5bc0f0c866529 |
| SHA256 | 62a49e88555ce542f6c1b3c4c0efc4ea731a285f74b3f33a17950d6c15c33fea |
| SHA512 | 5763bc99c49f6556fcc5be1ab52acf3123e4546c9703f8aca51730481a18f5042afacc3b992e0b6a52483178aa11a805349d55ad860d5ed5ebf7e12767b0b643 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C5CDAABC.emf
| MD5 | 0ed5bc16545d23c325d756013579a697 |
| SHA1 | dcdde3196414a743177131d7d906cb67315d88e7 |
| SHA256 | 3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3 |
| SHA512 | c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af |
memory/5984-761-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D66E7128-DE29-4FA9-B467-90A5456A6C3E
| MD5 | fe36aec264befb55c856920bc8e8f752 |
| SHA1 | 54226e1a541f60a2841e7596fcc2a7f520706a0d |
| SHA256 | 4204aec4095db6b249a4668f74ae9e833bb08b3271599f95799d8e75fa32fc2a |
| SHA512 | f11cbf6e06ff0630fcce0b5e75479d8ef2bc47b0a2f27fd56e11e5f32313fa3640a435d43d71d6b48b738af6f3fe33b0af742aa82934f66a53f419471fe01c5a |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres
| MD5 | 67d104a08cc54e5bf225c69b41998e92 |
| SHA1 | 7c4007eab0498211956c395b72edb3bb96188555 |
| SHA256 | 6060a102469407ea0376f27957f381bf88d9706249eddb7035c275bfc4660166 |
| SHA512 | 57349cf6df2aca8140a9919893361c6116ea24d399d245fef6b45e05587e72cc3764a348ae8344beaf2cd9fdb46ef532d45b42a7e9d190c75d80e56ffc74a7c3 |
memory/5984-784-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
memory/5984-783-0x00007FFB302C5000-0x00007FFB302C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 11bd814907d0d802a786a555445292c5 |
| SHA1 | 05633f7a374b44e6cd4ac50f351a369c21172599 |
| SHA256 | f630444ddaf228eff00c08268251bb9aaf2fa7d409e138d70d6b18515c940320 |
| SHA512 | 937b8141c56d527937a824245af2501945f592f82580d2edfe13642c7b1051c2c780ae32fd1cd3ded1dcaf40d17a9f2a46dffd0949eba2b2b1034b02f870df61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | f33b91e1a88d7c71efb7ba9f847fff78 |
| SHA1 | c6d9ce79ccf95fd47da2111db773b661af973e67 |
| SHA256 | 16a68159a20d43c0e701807681835738d1df5a833db5635ddca3af062ea5fcdd |
| SHA512 | c7ff5ea0d3ca51f7e2ad2e35a40a28e46f46ce60d362eb277b546d3dcc7c1b068fde65cc8c670fd26f63b82a747419f70cbf538c98d561b6e6d6adc9ff8fc12b |
memory/5984-809-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
| MD5 | e9df36c8be82ff90b0f04d5cf95ab9d9 |
| SHA1 | 376fba72412774f39a1aa320c4ab078db7e586ad |
| SHA256 | 3db53b81021b7c0ef86fb9126a8730dc6bd035ece77218560f9bda3a57091d61 |
| SHA512 | 3369b581a3db84762d52c70037bd356e1edd604859690cb730abaf56c1e0369e710508753e9992fef340189cba7e06f5f4b1b1f610233b19a31996718f0ce178 |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | 539d4727f076e3d5c82d15114cf134fd |
| SHA1 | 2fd824c596ff7823d32e52cf412e872af1c81165 |
| SHA256 | 10ebccfc3815384a012a67bbdcb42f182720a5a761df1484c15d9a08e2a05dc9 |
| SHA512 | 778dc36165a8bf1692454c0b63a39ac6852be0b0f1f907afe0ee43073d7db4a46ef1e2c36eba87aac4fbd23a4bde23ed09db72fa6cdb042045102960a31046b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | 5c70e4c7473a751dd1c49bf0b8f15552 |
| SHA1 | 449e8e29b512b3377a4d012d42f29cfd6dc43b8c |
| SHA256 | 606bdc54867bc753f1bb3c16c8262e17e99e34639a9fbd9f5e5e07cacf885fff |
| SHA512 | 5fdfdf6e0187fa8c259babc8926df771c656f4541fb4809516d3ebcc8b2fb92cd960670cbc8fd6536fd081e041331af6f40064db6fc9bde6de62a393c5340e06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | 6c10b7c5a21012aa2f2822b924cbb1c5 |
| SHA1 | 634e221b2a1cb2b101bc9ca8c98f9be4b22c0605 |
| SHA256 | 4599d83871947bbc47bb71859248ad3bb191958ac87c45e049571f269c6e4600 |
| SHA512 | 25b03fd8d8ae55bd28fbbb958e7e8ab173e5cce462a90c3df539d7a7f338d7f8ead2b967210a1dafebb123e76c27eaa606a397e6e07a1d652af8365e786775ab |
memory/6048-906-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
memory/6048-907-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
memory/6048-905-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
memory/6048-904-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD5F1.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
| MD5 | c56ff60fbd601e84edd5a0ff1010d584 |
| SHA1 | 342abb130dabeacde1d8ced806d67a3aef00a749 |
| SHA256 | 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c |
| SHA512 | acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
| MD5 | f1b59332b953b3c99b3c95a44249c0d2 |
| SHA1 | 1b16a2ca32bf8481e18ff8b7365229b598908991 |
| SHA256 | 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c |
| SHA512 | 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
memory/5984-1490-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp
C:\Users\Admin\Downloads\Prizm.exe
| MD5 | feef71c9299c0b6f7313074260fae590 |
| SHA1 | 846b600d779edc8cafdb91ebca5b01f6faa4b97c |
| SHA256 | 96d2eaff43d5807ee8c55e6ac9a8d32855198dc3bf83327766e53e4e7a88ff53 |
| SHA512 | 32a9f3d318f22fab3efcc3a6eb2a90b0ae33e4601ac563426b0b30b7d101c899585469781b90b75b3b521bc7d7ccb8fdc3b8e3508a60db3348beb53cc8575ccb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2b1db1a9d26cb303eb41f933802c1871 |
| SHA1 | 0dff91a7aaa8b4ab2ef9b480a948610f9e5b4196 |
| SHA256 | f92f164a0818955fd66d91b6a4a3edac71d72afe68341e92b5d57a59b171c332 |
| SHA512 | 3d97af21025072fbe342cb9d2ad6de1a7b8de67754033b1767b753ed70ada5887e6638f4e8e93c2400269d66fc6746939d3f3d6fa680148a337f565147358011 |
memory/6104-1564-0x0000000000400000-0x0000000000407000-memory.dmp
memory/6104-1567-0x0000000000400000-0x0000000000407000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\217
| MD5 | 9ffa307aeb56ba4cfe2ee4477a3d90b7 |
| SHA1 | fb34e1a942957f4838f0f941eea90b8b2d4fe696 |
| SHA256 | ed5ce703a81a883ef24c58d1a95f1ed9a0be0fa3822b1e19a1fd3bc94ff80ed7 |
| SHA512 | 3fec728565078aabd6088ab203afdeb96a4790325fa66d78f504dcb5cb37bd3157b8c2b0d2111ec6268e526f0cb4925739fbbcf2bce27d2448067aaba9a9c9d2 |
C:\Users\Admin\Downloads\0x07.exe
| MD5 | 733eb0ab951ae42a8d8cca413201e428 |
| SHA1 | 640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1 |
| SHA256 | 52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb |
| SHA512 | c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2c65dd5a1a61611643da75c0e2ac385a |
| SHA1 | 0befd99fd482b063ea717fbf1f0c62ea23299faa |
| SHA256 | d45dd53f9a6350e119ed08ca4083ffa02b8cfa639897d31f94cd50dc108a69e0 |
| SHA512 | 3f90fce838f806a2c368ddc6aa41f1aee12a02bece08180ac8aa03bf631d86704192d3435facf427a8f4fa8caa417993ba8bbcf59dd873a0f02a1c0d557d61e4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 53a89153c8be2208924b19bad7df309e |
| SHA1 | 53b79bd9386d45cc31799fa0bc72aa7e371bfbe0 |
| SHA256 | f941e5764f24fa277c64d82d1e8ee751160032eae9d97492c82586c646032ac9 |
| SHA512 | a2ce3e308fce78aabe3e545fa86579da6dbb28b994d4f27fbc1f6e7bdb32cb1325d9d0588a09cbdb1289e5bfd54e44dbbe0eb6a6ece3b5df03fbb528553df607 |
memory/2412-1626-0x0000000000400000-0x0000000000407000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 488d3668744e2959160ed957bb25386d |
| SHA1 | 5bb88924bcffbff6c0da83fa7d3be8e41c2c8c45 |
| SHA256 | 55f1946ff4ebe473032aeca81133fb0570ef1592a379108f373f37ecfd47ebf4 |
| SHA512 | 3bc257cf643fdf7866b366583f6f58ac055c7118207b1a7067e712b8dee217af755806483407f711495bb83a6bc49883ab0590407008fc3fb3217d697d67ddde |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\jumpListCache\1zkKfOxT9z9AEv759z0PVw==.ico
| MD5 | 6b120367fa9e50d6f91f30601ee58bb3 |
| SHA1 | 9a32726e2496f78ef54f91954836b31b9a0faa50 |
| SHA256 | 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0 |
| SHA512 | c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f |
memory/3004-1656-0x000002424F720000-0x000002424F730000-memory.dmp
memory/3004-1640-0x000002424F620000-0x000002424F630000-memory.dmp
memory/3004-1675-0x000002424E7E0000-0x000002424E7E2000-memory.dmp
memory/6036-1683-0x0000014E69A00000-0x0000014E69B00000-memory.dmp
memory/5708-1690-0x000001DC4F100000-0x000001DC4F200000-memory.dmp
memory/5708-1696-0x000001DC60600000-0x000001DC60700000-memory.dmp
memory/5708-1715-0x000001DC60D00000-0x000001DC60E00000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF88FF31479BA2DC4B.TMP
| MD5 | 52a26ba6af9e987170b8e764d190d2d2 |
| SHA1 | 4c2b32a8d9406aacdead01c73dacd772ab37862a |
| SHA256 | 7d1096bbfd1aae43ce04d12facaf4d83237cd4bc5d4729f07d628f9b4bf6a43c |
| SHA512 | fb68749d069a92ca702a502f66b35b2216b045ebe677da0d6926ded6ff6cdbc95f293afc4291e319cbeab2292370eea8d5286ad3f3b72acd44767b05def3fba1 |
C:\Windows\Temp\winconfig.exe
| MD5 | 11d457ee914f72a436fa4a8a8f8446dd |
| SHA1 | d0308ca82ed9716b667e8e77e9ae013b9af44116 |
| SHA256 | c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef |
| SHA512 | 4c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b |
C:\Users\Admin\AppData\Local\Temp\D118.tmp\D119.tmp\D11A.bat
| MD5 | a645734f3bf4a2682cbaf546789ec0c4 |
| SHA1 | fafcc11909412bf51f217e12dfaa93a15181a3e2 |
| SHA256 | 3b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0 |
| SHA512 | efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d |
C:\Users\Admin\AppData\Roaming\DetectKey.exe
| MD5 | aba9a3cf4e1db4602c25405987b809a6 |
| SHA1 | 6cd545ea023ce9cdfe76607c6801cc11ff7d9e80 |
| SHA256 | 490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6 |
| SHA512 | e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675 |