Malware Analysis Report

2024-10-10 10:08

Sample ID 240420-vy8g7sdf35
Target Auora.exe
SHA256 886a78f6d4a3bb1667c7d8ba553487a9d42fc38188253d3604cfe5c0743b636b
Tags
umbral stealer persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

886a78f6d4a3bb1667c7d8ba553487a9d42fc38188253d3604cfe5c0743b636b

Threat Level: Known bad

The file Auora.exe was found to be: Known bad.

Malicious Activity Summary

umbral stealer persistence spyware

Detect Umbral payload

Umbral

Umbral family

Drops file in Drivers directory

Registers COM server for autorun

Reads user/profile data of web browsers

Modifies system executable filetype association

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Detects videocard installed

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Views/modifies file attributes

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 17:24

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 17:24

Reported

2024-04-20 17:38

Platform

win10-20240404-en

Max time kernel

693s

Max time network

698s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Auora.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 5116 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2996 wrote to memory of 4928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 2804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 2804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4928 wrote to memory of 2152 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Auora.exe

"C:\Users\Admin\AppData\Local\Temp\Auora.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.0.287739424\1526139595" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5bbcbca-4b7a-473a-9813-bb5a4fc7e28c} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 1796 15b347d8858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.1.1937405023\1905143001" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bb3fb24-4e22-4961-a5e8-d43b9222d0ca} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 2136 15b22472858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.2.45660742\2121742018" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2860 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {daca326e-977d-4445-9a8c-e3e7aa1503aa} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 2688 15b38ac8858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.3.512322442\1432680055" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc55d969-669d-4d1b-a1dd-e439c3ed1188} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 3484 15b22462558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.4.828976096\744920070" -childID 3 -isForBrowser -prefsHandle 4416 -prefMapHandle 4412 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bacbd67-56cc-4191-844e-ae9290659876} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 4428 15b39b96258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.5.1127200955\2083534621" -childID 4 -isForBrowser -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9650b71c-f24e-4641-aa06-f478e2a02d8c} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 4968 15b22461958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.6.810400788\1944488681" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d06e078-140f-4244-879e-e3e890d19c66} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 4988 15b3b465f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.7.927535438\349274209" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e80c88c-5a95-4919-9507-495e4e459b8b} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 5292 15b3b4d1858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.8.1560701118\1256214177" -childID 7 -isForBrowser -prefsHandle 2640 -prefMapHandle 3920 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58255705-8c89-4cf3-b795-b816ab07e8ff} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 2636 15b3ae4fb58 tab

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x398

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.9.1140612609\1409687776" -childID 8 -isForBrowser -prefsHandle 1604 -prefMapHandle 3900 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99155365-b5b8-4764-a7cd-4ebafe700310} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 5836 15b38aca358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.10.74645171\486493461" -childID 9 -isForBrowser -prefsHandle 5196 -prefMapHandle 5208 -prefsLen 26777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f72526f-bff3-4ecf-b23b-7eeae99712b0} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 5272 15b2242f358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.11.111892798\352709960" -childID 10 -isForBrowser -prefsHandle 5992 -prefMapHandle 5196 -prefsLen 26777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86799cd8-eb33-4a66-b10d-7e80b1cdfb59} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 6020 15b3a54b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.12.1022128033\665934639" -parentBuildID 20221007134813 -prefsHandle 6456 -prefMapHandle 5992 -prefsLen 26777 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {247ea450-68e4-4859-b5e4-fa2bf5ecc725} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 6464 15b3cdb8458 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.13.1645099042\847835183" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6592 -prefMapHandle 5888 -prefsLen 26777 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e962ae-6332-44a7-9d39-ff62a5242115} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 4988 15b34cdc558 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.14.1466813492\2102856470" -childID 11 -isForBrowser -prefsHandle 5748 -prefMapHandle 6232 -prefsLen 26777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07328fdc-f220-4d35-ac45-e89b7d70b237} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 5544 15b3c8acb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.15.1847473473\1345485951" -childID 12 -isForBrowser -prefsHandle 6260 -prefMapHandle 6156 -prefsLen 27477 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5924367-6d67-4a82-99dc-deff865b050a} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 6016 15b3b4ce258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.16.248360949\542399363" -childID 13 -isForBrowser -prefsHandle 5840 -prefMapHandle 5900 -prefsLen 27477 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84f80bac-f8ad-4674-9abc-da18ee4c6d66} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 4800 15b3b466b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.17.1512283719\1957040906" -childID 14 -isForBrowser -prefsHandle 5172 -prefMapHandle 4340 -prefsLen 27477 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9d55f1b-5848-401d-8597-5b37abf9b480} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 1580 15b3ae51c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.18.318658048\934546482" -childID 15 -isForBrowser -prefsHandle 6928 -prefMapHandle 6988 -prefsLen 27477 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44529f53-7e96-4b14-8306-171682b58510} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 5172 15b3c844d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4928.19.1387597453\1136511683" -childID 16 -isForBrowser -prefsHandle 5748 -prefMapHandle 11180 -prefsLen 27477 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ff27e2f-6691-4d74-b744-7e1a07c1df39} 4928 "\\.\pipe\gecko-crash-server-pipe.4928" 6820 15b34c7a758 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.0.1050860695\1260587820" -parentBuildID 20221007134813 -prefsHandle 1584 -prefMapHandle 1576 -prefsLen 21569 -prefMapSize 233863 -appDir "C:\Program Files\Mozilla Firefox\browser" - {961f9daf-8977-407b-9e00-7eb603efbf74} 688 "\\.\pipe\gecko-crash-server-pipe.688" 1664 21828206558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.1.1280758534\24845955" -parentBuildID 20221007134813 -prefsHandle 1984 -prefMapHandle 1980 -prefsLen 21614 -prefMapSize 233863 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63bce091-6e18-43cc-bb33-21f54b37f4ce} 688 "\\.\pipe\gecko-crash-server-pipe.688" 2004 218160de458 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.2.678662415\1165562979" -childID 1 -isForBrowser -prefsHandle 1000 -prefMapHandle 2764 -prefsLen 22075 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85b78cbf-54a7-493c-bc25-21e616981dd8} 688 "\\.\pipe\gecko-crash-server-pipe.688" 2776 2182825ee58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.3.2105000056\527653851" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97cf6c01-5a37-4418-b215-b9f5dde82176} 688 "\\.\pipe\gecko-crash-server-pipe.688" 3576 21816061f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.4.1378638368\1923735800" -childID 3 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc91f855-f73d-43e5-88c3-9b20eb0834df} 688 "\\.\pipe\gecko-crash-server-pipe.688" 4440 2182b996f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.5.1014411575\527870864" -childID 4 -isForBrowser -prefsHandle 4616 -prefMapHandle 4744 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66c7077d-e0d3-475a-99a2-70cb00824942} 688 "\\.\pipe\gecko-crash-server-pipe.688" 4704 2182e890158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.6.995176716\1745668456" -childID 5 -isForBrowser -prefsHandle 4900 -prefMapHandle 4904 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d19e7ba-8e5c-47c6-880e-3909345fadae} 688 "\\.\pipe\gecko-crash-server-pipe.688" 4892 2182e891058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.7.1648612238\2111138985" -childID 6 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9390bf5d-f2b3-485f-86d4-9a75a0df6ba9} 688 "\\.\pipe\gecko-crash-server-pipe.688" 4876 2182e891958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.8.1136613753\1692945692" -childID 7 -isForBrowser -prefsHandle 2396 -prefMapHandle 4292 -prefsLen 27321 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e689a8f-64bb-421a-b998-01e97df1b667} 688 "\\.\pipe\gecko-crash-server-pipe.688" 2436 2182cf54d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.9.566033679\612173572" -childID 8 -isForBrowser -prefsHandle 4792 -prefMapHandle 4796 -prefsLen 27321 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f2131ea-6565-4091-8f89-95c558341ab8} 688 "\\.\pipe\gecko-crash-server-pipe.688" 4848 2182e755458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.10.1937166477\1676663246" -childID 9 -isForBrowser -prefsHandle 3948 -prefMapHandle 5900 -prefsLen 27321 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f27130-fa59-4ed6-b28f-52f50487bf6a} 688 "\\.\pipe\gecko-crash-server-pipe.688" 5848 21830ba4458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="688.11.1214419542\697296369" -childID 10 -isForBrowser -prefsHandle 4648 -prefMapHandle 3576 -prefsLen 27321 -prefMapSize 233863 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74556a2d-2dff-4096-9734-adbdb09227af} 688 "\\.\pipe\gecko-crash-server-pipe.688" 5952 2182b996658 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:49803 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.233.67.78:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 78.67.233.44.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
N/A 127.0.0.1:49811 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:80 discord.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:80 discord.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 assets-global.website-files.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
GB 18.165.160.37:443 assets-global.website-files.com tcp
GB 18.165.160.37:443 assets-global.website-files.com tcp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
GB 142.250.200.42:443 ajax.googleapis.com tcp
GB 142.250.200.42:443 ajax.googleapis.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
GB 18.165.158.198:443 d3e54v103j8qbb.cloudfront.net tcp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
GB 142.250.200.42:443 ajax.googleapis.com udp
GB 18.165.160.37:443 d3vmvmej3wjbxn.cloudfront.net tcp
GB 18.165.160.37:443 d3vmvmej3wjbxn.cloudfront.net tcp
US 8.8.8.8:53 37.160.165.18.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 198.158.165.18.in-addr.arpa udp
US 104.18.5.175:443 global.localizecdn.com tcp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 175.5.18.104.in-addr.arpa udp
US 104.18.5.175:443 global.localizecdn.com udp
US 8.8.8.8:53 assets.website-files.com udp
GB 13.224.81.122:443 assets.website-files.com tcp
GB 13.224.81.122:443 assets.website-files.com tcp
GB 13.224.81.122:443 assets.website-files.com tcp
GB 13.224.81.122:443 assets.website-files.com tcp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
US 8.8.8.8:53 122.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 119.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 remote-auth-gateway.discord.gg udp
US 8.8.8.8:53 remote-auth-gateway.discord.gg udp
US 8.8.8.8:53 remote-auth-gateway.discord.gg udp
US 162.159.136.234:443 remote-auth-gateway.discord.gg tcp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 id.google.com udp
US 142.250.65.99:443 id.google.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 99.65.250.142.in-addr.arpa udp
US 142.250.65.99:443 id.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
GB 142.250.200.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.18.125.91:443 js.hcaptcha.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.18.125.91:443 js.hcaptcha.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.18.125.91:443 newassets.hcaptcha.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.18.125.91:443 newassets.hcaptcha.com tcp
US 104.18.125.91:443 newassets.hcaptcha.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 91.125.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 104.18.125.91:443 api.hcaptcha.com tcp
US 8.8.8.8:53 api.hcaptcha.com udp
US 104.18.125.91:443 api.hcaptcha.com udp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 104.18.124.91:443 imgs3.hcaptcha.com tcp
US 104.18.124.91:443 imgs3.hcaptcha.com tcp
US 104.18.124.91:443 imgs3.hcaptcha.com tcp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 104.18.124.91:443 imgs3.hcaptcha.com tcp
US 104.18.124.91:443 imgs3.hcaptcha.com tcp
US 104.18.124.91:443 imgs3.hcaptcha.com tcp
US 104.18.124.91:443 imgs3.hcaptcha.com udp
US 104.18.124.91:443 imgs3.hcaptcha.com tcp
US 8.8.8.8:53 91.124.18.104.in-addr.arpa udp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-25glene6.gvt1.com udp
FR 173.194.190.134:443 r1---sn-25glene6.gvt1.com tcp
US 8.8.8.8:53 r1.sn-25glene6.gvt1.com udp
US 8.8.8.8:53 r1.sn-25glene6.gvt1.com udp
FR 173.194.190.134:443 r1.sn-25glene6.gvt1.com udp
US 8.8.8.8:53 134.190.194.173.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 assets-global.website-files.com udp
GB 142.250.200.42:443 ajax.googleapis.com tcp
GB 142.250.200.42:443 ajax.googleapis.com tcp
US 104.18.5.175:443 global.localizecdn.com tcp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
GB 18.165.160.98:443 d3vmvmej3wjbxn.cloudfront.net tcp
GB 18.165.160.98:443 d3vmvmej3wjbxn.cloudfront.net tcp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
GB 18.165.158.198:443 d3e54v103j8qbb.cloudfront.net tcp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 assets-global.website-files.com udp
GB 18.165.160.45:443 assets-global.website-files.com tcp
GB 18.165.160.45:443 assets-global.website-files.com tcp
US 104.18.5.175:443 global.localizecdn.com udp
GB 142.250.200.42:443 ajax.googleapis.com udp
US 8.8.8.8:53 98.160.165.18.in-addr.arpa udp
US 8.8.8.8:53 assets.website-files.com udp
GB 13.224.81.122:443 assets.website-files.com tcp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.178.14:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 142.250.65.99:443 id.google.com udp
US 142.250.65.99:443 id.google.com tcp
US 142.250.65.99:443 id.google.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 104.16.113.74:443 www.mediafire.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 74.113.16.104.in-addr.arpa udp
US 104.16.113.74:443 www.mediafire.com udp
US 8.8.8.8:53 static.mediafire.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 104.16.113.74:443 static.mediafire.com tcp
US 104.16.113.74:443 static.mediafire.com tcp
US 104.16.113.74:443 static.mediafire.com tcp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
GB 216.58.213.10:443 ajax.googleapis.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 104.16.113.74:443 static.mediafire.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 216.58.213.10:443 ajax.googleapis.com udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
GB 3.162.19.176:443 cdn.amplitude.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 176.19.162.3.in-addr.arpa udp
US 8.8.8.8:53 api.amplitude.com udp
US 54.71.232.169:443 api.amplitude.com tcp
US 8.8.8.8:53 api.amplitude.com udp
US 8.8.8.8:53 api.amplitude.com udp
US 44.239.212.98:443 api.amplitude.com tcp
US 8.8.8.8:53 static.hotjar.com udp
US 8.8.8.8:53 static-cdn.hotjar.com udp
US 8.8.8.8:53 static-cdn.hotjar.com udp
GB 18.165.160.116:443 static-cdn.hotjar.com tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 216.239.38.181:443 analytics.google.com tcp
US 8.8.8.8:53 analytics-alv.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
GB 18.165.160.116:443 static-cdn.hotjar.com tcp
US 8.8.8.8:53 analytics-alv.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 216.239.38.181:443 analytics-alv.google.com udp
BE 64.233.167.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 181.38.239.216.in-addr.arpa udp
US 8.8.8.8:53 116.160.165.18.in-addr.arpa udp
US 8.8.8.8:53 169.232.71.54.in-addr.arpa udp
US 8.8.8.8:53 98.212.239.44.in-addr.arpa udp
US 8.8.8.8:53 157.167.233.64.in-addr.arpa udp
BE 64.233.167.157:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 script.hotjar.com udp
US 8.8.8.8:53 script.hotjar.com udp
GB 54.230.10.10:443 script.hotjar.com tcp
US 8.8.8.8:53 script.hotjar.com udp
US 162.159.134.22:443 device.maxmind.com tcp
US 8.8.8.8:53 device.maxmind.com udp
US 8.8.8.8:53 10.10.230.54.in-addr.arpa udp
US 8.8.8.8:53 22.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 d-ipv6.mmapiws.com udp
US 172.64.145.79:443 d-ipv6.mmapiws.com tcp
US 8.8.8.8:53 d-ipv6.mmapiws.com udp
US 8.8.8.8:53 d-ipv6.mmapiws.com udp
US 8.8.8.8:53 79.145.64.172.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
N/A 127.0.0.1:51249 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
N/A 127.0.0.1:51265 tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 assets-global.website-files.com udp
GB 216.58.213.10:443 ajax.googleapis.com udp
GB 18.165.160.45:443 assets-global.website-files.com tcp
GB 18.165.160.45:443 assets-global.website-files.com tcp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
US 8.8.8.8:53 assets.website-files.com udp
GB 13.224.81.45:443 assets.website-files.com tcp
GB 13.224.81.45:443 assets.website-files.com tcp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 45.160.165.18.in-addr.arpa udp
US 8.8.8.8:53 45.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 encrypted-tbn1.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
US 8.8.8.8:53 encrypted-tbn1.gstatic.com udp
GB 142.250.180.14:443 encrypted-tbn2.gstatic.com tcp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn1.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com udp
GB 142.250.180.14:443 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.virustotal.com udp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 46.34.125.74.in-addr.arpa udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.180.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.180.3:443 www.recaptcha.net tcp
GB 142.250.180.3:443 www.recaptcha.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp

Files

memory/5116-0-0x000002367A500000-0x000002367A540000-memory.dmp

memory/5116-1-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp

memory/5116-2-0x000002367CA50000-0x000002367CA60000-memory.dmp

memory/5116-4-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\b410456f-9d02-4e58-ba35-9c713c784586

MD5 8ef6f860dbe9379e5a1b01ae14245193
SHA1 25e5f21dab19d66448de7290795091acd90815b2
SHA256 d1e3c38183bc07a2a65a12de8bc7cf94649cc5bca185cd2bca986f7a351831ae
SHA512 0295c02a3428a90e8fba511b785346bcb5e410ac32aa5b3200b8449a8c761ba4ddf9e795156e65470c0fcb6ca50732191478c74c753bd16dad87af7bd5201d8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\987a6275-cc8f-4845-88ec-5e18e276a6ba

MD5 e6d1539891931d27f0e829389b571089
SHA1 247fd8eafd5afe6d3c66a27e892aa198cc0bb176
SHA256 78612c900d25ac92f0f42a28d334a2f0061ecc95bd76c0109bd334864b2a59b6
SHA512 e71cd010c923da9919db6ca873a2d4de42ed8beaeabff53dad7e37a26024f942819cda8b2f0dd6553e6b3f42423a85257c1caa52f2690216f20871722af47cc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin

MD5 933c1079fcbdf8635bed434e401bc6d8
SHA1 1d5de56b0b6215532a44126fa98fdf368c7687cc
SHA256 e7d4bba01d9029931c1e7bfeb4804ed361af7350afb45dcba3f829c48e471d56
SHA512 8a53cbf1dd0886a2b2d7bbc19b87449ab7de4df0bf002e83c5608d0c9cc10eb224936f37809588385c98500286675eea6bef75e0ec8a03b9fb2603e08fd56e3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

MD5 9bdfdafff74fc7edc6ee246575224257
SHA1 f1f5403eda1f31addeca0beec855121740b806a0
SHA256 fcc72c45f183fc091b538817d6dc359dc8fca4d053397fed26259158393953c3
SHA512 b1c7d2058b4f30c0ff8ea551830ea30b69bc0b6df980c8d288595fc2f49ddd64c6ade90cd669264da82d9b3ed845e140ee45d90b9f2e3bbaf77e583c4e2b7627

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2fd62445bb47fc742a6f101871112593
SHA1 ba38d49f854bc66381ddf5abc3cd48330a8c39a3
SHA256 7112cb785739df5912c180a52b81c607eb1e24bb241fce09db42265c25a9c5d7
SHA512 c277d712d0db8773af2f828efc38a9f532c7cd1f3a2b4a6b35da6c20ca27784d9f90237f233c672f4cb56f8418b4e33f6fe262ee066c3865b06c595f3a547a53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 71f9e0eb39c879261cd6155660c4785b
SHA1 385403b75d2a0c3c81d3622d1c4c38b7881fddd0
SHA256 5f9e614c51d25e8c6de97a3563457e56e2360654e942f26756eb41b1f3b801ae
SHA512 a3f55cfe1689f4ba0ca804b403eaadfe82cfa5fd0553ecce0a7117fade02d2e5e774f95606c453772d9bffbfe0ee36d296d4f2e204dba065d3dad0860f0db543

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 81c71073f0bb0aaebf8627d6e743eea3
SHA1 fd13d82682ab3154c0b0a22a19ee18ab34508137
SHA256 77737bc23c79f87b653280f0300cd39496548b7c5620cfd86df4e17d5d43a0f2
SHA512 60952c9930d260acf347667849a4354d664da2820eef055195ccc69ae1bab880142938b27f59ddd1b12c69608cba0de586e3a541ca3236e7d655371475039a8b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0a1e7137df815380c026cd4eaf7424be
SHA1 7cebe0a8a530f3fb66a78a3ab43f20f54f543454
SHA256 01463d8f50ba94f8b499a7fdee06f17f4699f808e1b0f63928e6a12ef7f17051
SHA512 2f522931b20bc5fd573963b550155284e22fd19f2330878b8dc7c448fb81198528b6715dd3d14ed3854a737d2397d429cf1092981fcefd658513c3246fea6c47

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\3C037406957C6A3957979D98A58F5D96FF6B1489

MD5 191bbcff9abf92bbd7c8d323ba30051d
SHA1 568af6fba4a1c81729f605da55f7f06b3cb1c1fb
SHA256 12f03d8ca6f1464a1dc6984fd8f6fd1f62fde16c30d8c740dbcd117305fa87bf
SHA512 ecb5d006eff3972eaa996b456d3cc767af2bc13fd9c38f5f9d4216ea16a3031a966f266b9adb55ce33218832b7ef8f72c2ac38a0795e1431103e6351fb433045

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\2C4BAA6F19DAD1966BACFFE00E8A81C718359637

MD5 fdcfac42b81a5729e0df7290020941dc
SHA1 4c083fe02fbda2f6fa80883c4af0057e26e9a51b
SHA256 9fd11dddf6bedea2564df47e37d47ce8ffa30ae6b3e712dae5e1d8002fc61720
SHA512 7108b9710deee2b11448faa75ca778fccbdb276ae31c5f90e7ef2c2bed02653d3a543c4d508adae4a16c0dde35d02240a65d67c8b6c5981a2de6a775c9947370

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\3CAD2CD1EF7885339466EE1E33B4195A7CE143B0

MD5 206f1b3049481f723aa1f4e1d56527ae
SHA1 81ad3d25a4d329ec52e9ddc844a59ad140d1c08d
SHA256 ab853bb83be43ca725558c867161d9c99b7b81cac85b20ed1bb24c0e11c9b56c
SHA512 487e4080e6b569257c5709d804a07fa73e7426622949bb21afc53b85c5378662314b320bd6f88fefedb544b9a0000976641c8d86c9f7517f3e37cce9491a3a0d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\061B792D9B30F6ED7B292275DD42C089C0282250

MD5 dd886e4b59f8e94339283b4b86e9fff7
SHA1 349bdf6395587342665b863c61f97ffa29dc5d17
SHA256 488440126393c23bdbb0b9f505766a70412eee21ef23c856757ac4835b9655bb
SHA512 21429a57bc3a52e86a198c2f268ae9163b9dc7a4cea46658eb9a1ff50ae2c81f2b30ae87f8c5fad79c8d5ab342805b632c3a8b9552f650791c0e7a311a276f40

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\doomed\2622

MD5 2bff91286611a4a5035a128dea00ba3a
SHA1 b8f37e856ad3d77b879c8cad8d4b433e94468977
SHA256 9a9a6639223ab6ff942abcb670e7ee20c41301d0cb50dff1e84cb822a9b12daf
SHA512 f2391017acdc8da77f0d9c03698261cdf6c8dedcdd32f0c26ae683080178dbed3075a07bb002584972219cc6c0faa0498199f7e4997ff3d88eb390d884391744

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\BAB1932D66403DE14FC0FF7F43E7FE17B97F75CD

MD5 15407b26a89f5cfe843f096e0821ced8
SHA1 b8096a796503def005f81ea429932e9272622043
SHA256 e362fbf146b0aca290257f68b66aef7f40f5748b9bfc55c18057a0a26d02c39e
SHA512 9e251d462b4cccb1956d7bf677f99385d34872ecb2c13bf6a55a215bf527c875428c38ec9bd4bbf55485cb9309dc435020dca4910ac8bf66b1b0e6414174debc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b26f1ef1643b2c7f8c9963f1a92ac0a0
SHA1 26e7283e3bb69cad487611def6cabc228411391f
SHA256 d9a4614119dd69d74502380865510a44c5f08b8b63d92f8dc3b312b244bc2a91
SHA512 e751ffddd20d4925a2b5bc86986f77e0fbfb4454900b5ac05282a11f1aebc09b4d91322ddcfc00e12ae04c9cacd9046045ea0942fa439da81065de54902b5461

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 63c3bc3ff8bd85e6d6167878e18ce7bf
SHA1 8405aee7aff53589779b52c3f9b7fedeff6d3096
SHA256 32b802f8f05341a79ea82a1e68bc6c446689a48829e93b09a89aac4855259198
SHA512 a824dfabdda4a0a73ca90d84a0740fed586e5e359cbdd26326a6842499c7feb26eb5995c51214d1f65dfa1f617c3eb071eb19ac8331b8abff782cb9581315bf4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b72e719f482c9f8a78e2456fb9dc116e
SHA1 94d6cf458a7fbcc359783bc5cb3267a379351884
SHA256 3abc6cb7543c93abff91d39953922d4aa652b25f827eb03fed1560bb94d011f9
SHA512 c1c2f0591eb1a1259f22cc8a93b8a30687cd5aa128c43400778e23b2032afd36381e54f450c08f3433822947dd6ddd1d68e683a8acc0dc6b6c6fa3455f7dc1d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8b2bd31fc5563119ddea8c1250dc82c8
SHA1 515daabea0b9a4a409650bffb62702fdb08ae614
SHA256 28cae224393e8d5e54745c59ec63e8c4fcf516300bd54152b7b88c56a8ecca0d
SHA512 ac61d2dbd48705d6238065437fe5954a4ff2c777e138911f93af3a6dbf077434e61651e11927576beeb067023185344c7c13639fdf0a5b62a72571f61de5e316

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 9db62596521457741b9c7d22a2fa8e78
SHA1 4c2b0069e619ed88825063d3f49e908c3d503452
SHA256 9cd399905460d6f8ec92ed372aa90ff18cbd66efb2f0a4483432dae43bc62b54
SHA512 6c85a64229bfa426a82a18f6cb951f6c4c7caa4bbd4119e8535a818bbcdcb67f92e2eb117be34aa4cb680b86c9f61046c94959d34cbc3ab48575530c5ca2b1a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 19d11aabe6720425ce43a7a977d1f378
SHA1 4a6ea02f70ec69bb9972b3ed8b09930c1ab0be46
SHA256 66399db8411e01591ecb85e927d8fc315a4ec828272f511702876dd1d974f736
SHA512 99234ebf8e29ce4be27cc5149ab41ed9b3d43d747256dd0b46a7eff63e579cac53306681ad7cfa7f1733507436e34bd0cf5c47f05b20657b3961b1c95905eba7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\2B4B12B638E65D0AC06FE6B401B5F1FBC7E157E5

MD5 ebeb730efda02a875ac0010dc64b18ff
SHA1 5d8ebdb910ddd1a9ef050cc909f855ddfd1ab698
SHA256 210ad66094121cd2a76fdbf55d1355ebd72c1f8b89a0106a5148bf447e3fc7b4
SHA512 49e5f45711fdc22eb2a41f623083be702bc3b4cc03037bc0a5f4744d4b7b0d350e24e0315f1de32ff5042e10b2c778f724fbb55b6c7325a91de7cc231da01339

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 291bb43e3d16fa858c070f95cfb6102f
SHA1 909c5704f2c56908c86cfe464ca5115457f1a78f
SHA256 50cf9e0aa7d6611d1f884d482530844b2b42b0ca40002bc9eba09324158e890b
SHA512 eee414ff98718355a02e223c9b5d5d5f1dc3c0236fb759c6b6887438ca5a55db0e8de8308edf9aa9efb6fdbee3b6042dc81784da677399aefa1b85883eeb595e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\4AB13E7BE0AA664CC52D0EC9F0FD7BFA963ECD1F

MD5 8cd1f5c7f7f051584022037e618c6af1
SHA1 bbb2614b6f20b9bbbe92efac8b6aed95cb008425
SHA256 d342035182c2d0df43681352def0ad5c89f1c94973049cceb18f1ac6cdc67a0e
SHA512 48a8d251c2753068f7a517ea1462d52cd6a05d19e6b169ffd4b3222b0e08deee4702ff16ed7532b56cddd0002d3c8180f68c93dbab3ba1ab76af9672522d9001

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 10cfd3bca308ef9ac994b623d9bd7a1c
SHA1 72e640c7c8087a9c183c0dbfaa3910f1691088bc
SHA256 8ae84320993e7ec12e22480d65bd71f6f2c256d2925048914d18a03bc054bd71
SHA512 7ed5782651d162addc827bf18f2079502663d481bad9def49cd8f3bfb2b2b13d9dc8ead74db52e52ae076fd652dc38ac05d045d53b90241eadc55953640b593b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\6dfd08b1-305f-4e68-aeb0-f7b8a958915a

MD5 64b71d42400107d8aa71e65936361882
SHA1 41227a62439772192d78f58fdd5bdca84442ae05
SHA256 acccdcb42f51a3e526bed19bd8098283667682a703a29cd7d04634c1aaa19a26
SHA512 54ce05a81052b38b61177e0a23a6baa8a6b5154b9d81c554a9038f629816684b5d1ce61da977b105a184a5beb4d9a75473f63cd144ccd8ed21ee407f479acfc4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\4133685d-7ed5-4b7b-bf51-50f15bc2ac39

MD5 59ad10ce8cac4821d25e60932888af3a
SHA1 07ffbb1ee53a59a959a98b363f9879baad5010b1
SHA256 75157fb07d2df9c704a4ef68999f2b83e8035c58b80e87e2208fac9f4ad2c939
SHA512 c84acb1661162dfd7230cd4372a33be6e6fbddabe7458c66ca449b8ca69b66682e5aa457f3686002643314c011f5bdae64ad6a8bf277bf4297c490e59b0fb985

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

MD5 89c7934d69713fa54ae494f80caf3123
SHA1 49e5552c74312d5c1fab9b25260bb8099ff0a495
SHA256 111e118e657075bdf3c52b5a7726daf84034fdb8b5b47dd3ba584f0c1824850f
SHA512 f430cc54537d5a66cda0a196313cfb3805f75407ebf307fb1053eac76f7a4f58b20f43aaec8238454a4bfb1d7853771c3cbeca7b4059fb9a8dd3cf2c4cbd9ee4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 7d7da8aee16c945c7ff57b0a79146dfb
SHA1 6007a250aabd6274df60773c1ca8a7037e499561
SHA256 d5ed83d8fbc2448a4ee117b3de5e996f622a363457700a335aaf956d14afcac7
SHA512 cbf592cb706c7b9011de88883c2147808dbee6229b864334dfce154e479927ed5724df4ccb91823d57efd66193514c163d0940c126a4ee978af9998797e681f9

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 c105863a2696a94d69624597d8b12112
SHA1 b0e1446dc3ecc81d876772acc23ce0e99aa46b78
SHA256 9754499625eddef8c6280d8fb8bac45d65b4b5c0e2c9c6aa669e0ada16b6e429
SHA512 b3bd43cb8c454104f1c3db774d7e122933dc669f0ef98b7e7a453a30b7c83554cc3e8d80557c40f494af4bdddd4763f1c1d8576c57ab027585663dded984075a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 69ac5146310f1c9371a49e51c9411bee
SHA1 63541d15ca25c210c8f1eec17ae3342decf44a38
SHA256 e2d6c9cccbcd8fd24d56e104f70c71c844bbb39281770c80067a1cb8beeaa978
SHA512 684db1724a71bf4bc67bc6713c12a9053b066b49cd052c16539aac99eb871c5feecf63aa9219ba49af66ec54610418fe0e16fd6600e3e93cfd4e0bffac3498ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1c46d4f23b26955b30faa91b8f763822
SHA1 ba699b4ac409c5d172ce13f4cc7644ef069749ed
SHA256 8ce4941a0490fff21e16b6a37007de40f50fee96b923c895b009eb6a5be0b2b2
SHA512 3ad15d5151930d3bffb6526ded999827991b9f04ad22f5982d0c4d1204aabffeed6589fb51b8c52094672f082a31bd632f9e4fb8854335afeff1f8a839989582

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4a5b52e0d5de36f6fd5d50f7fffbbf51
SHA1 fc56b8fb071a814c17e9590b95fc9d348364a37e
SHA256 9b2b80473d925025622d4233eb2919e895e09c8312278b72ea3a5df81d0aaf40
SHA512 30386cfe8a0b573102505acc859f228174f8e212a4115be15c95e1630f920076eb05ac08b70559554e233c12498aade2db22868704e9e2b73bddccd447c4101e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\2AC78448C65FB1371AF3C5594A3F20C6CAB997BB

MD5 0f625c01f5a1502187fa794aa7c6c896
SHA1 a0f5c35c773c9400a1cbc10f245c6f300a06677a
SHA256 3fbe3e6828b4bef602097c1991ae086434d627a81c3a1415f29ce311a1ad0d96
SHA512 521a6d595aa61f88662ef3de76927ef2a4e24ce5c1dcd53831b6f191e308bea6d2ca872c1ed1c9cb714676193e705eaf1c0134d28d6d435b44f51d07b2a640cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a13f94531d156235dbb75da9427f86c5
SHA1 cfdb09bf1d51929739eb8595a2a6d71e7d3841e5
SHA256 94e3d6a81547c7cbd50f8ef90c52c9465593c79737b8ca99fcdadb8b1ffb95bb
SHA512 f80da07d8c3d4be79a52256b3aa2f507245a6bf844c1d1b8e07b16558de966042c97ddb09b52e685e39dd099455f6f5d23be2b82b376aae818d67e64136c27ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore.jsonlz4

MD5 70987ea3031dfab60fd17503c937da49
SHA1 589637bc2beb628a0c398509802fa7675ff714b9
SHA256 322da43c0a98884a85bf1ab41f7ccd3cf330f3e85eea84b1df733e3ab0830252
SHA512 63e5604e2809fd3c9a2852d7688a42d63ca219b5b88d62d06e3d526f113b204bb32bc4502ea02d03efdc60c670fd967d0e44cce587a8bf473a9c998c60d29893

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

MD5 740ad3f426a6803b531352c863a5915a
SHA1 74a561d77dc590d6c478fc7b54a6f1c81fa13dd8
SHA256 0cd67040d5b89552587eaa282e4510d06eebef25e35405f0061335946f15e47e
SHA512 71913e11f2579831cc57fe21b903096e748780a5c90edd34d16e20efd5d13f651a4352705ead357c6714c3e5d7d71558393742c21306cc3acff8fd1ee39f001c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\xulstore.json

MD5 7dfa04d227c3fd5dda151b730a9a33d3
SHA1 99a67e864dbb3d2bbc35f61e6852a42bfa420350
SHA256 735f6174ca9446c1b6dc3121b0a8b8aef95c57809d29498449eb811e36beb8c4
SHA512 9a3d76450352489140fe851db3998aa9639befcfb40c5deb6258183594e42c4a87f148291e2e60d0733c8e1c758f2444cb6d5e5eed08010558934fb19238e777

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\startupCache\urlCache.bin

MD5 7d0a6c9c1bf7c542de9c50793c00ac0a
SHA1 ae53836b8f2451c63b1438a5811b4f0f6b497813
SHA256 ec8a26b5da6ff640f90dbccfe2daeb2f984f8caf4710df2d64bf7ac989a1441c
SHA512 05706e5b1234d657438d466962d69c96c5f39ca18ae591c0a0d682e571cd1cb26cf1fd85cab52ff28df59bf727ec1545be2871e1361bff30157558d324e96c83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\permissions.sqlite

MD5 04c83ef85c6328135c8c957b3e525c79
SHA1 35272fd20e7fc8ed10f4f17b5775a8af9405c13d
SHA256 80e2c05fbd167fa4be8f485dd5a17a175c66730892648d8a75932a2f079de1a6
SHA512 32b6afac0fbca308f02f0638364078591dde7bad0f480c79c7a846d9c7f227862a7e9d76885466e70ed633c91b523829ce328ce067194d2788b70b3c710d71e4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\index

MD5 2ed2873c360446b66433bad99341bd84
SHA1 57d907215f44076dfc03dc6f0db12aa0b0bd4e96
SHA256 1f3640d51558ff939876972bae1d1b534d92fed6796f428025961a18ced0d802
SHA512 ffe3d10de66dc1d53a60217788e5c97dd7c8002e5cf1eb022e43cf2992c127a93a699e6b8e90e5a4b26378f5dff7fc918704014075a25e2a2c5f24044a4b2c6e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\index.log

MD5 81a32c3ffa1a6301f9d5aae46a9c0468
SHA1 0c6533bc84f20f6c2dff9688f102589e6e60442f
SHA256 a03dfce0c0a6ffb0e2b5d3125002941955caad0fe004643ad600b99210f871e7
SHA512 ee5ed737fe0abf21346da5cb26fa405e3c9d8df3ed49197b990807d49b7e63c6bba534b1e0427077ee0aee77c5894686db8a7e6236ffb4fdc3450e889ffd4f9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cookies.sqlite

MD5 455ece1f57256c6a35e9637162896fee
SHA1 381cf6fe4ea621565017b5050711e202c2ff2c3f
SHA256 848ee66decf6931423bafb7efbdbbbfe1dd4b23cdf8be0bae712fbfaffde91b6
SHA512 2d7173a7bca9810ba35edae81d4136b76547dbd86ef5afb31188de7a2caa56bfa5943a1665a3b5c1d28c06e6a7b0f29a07d02453b783eb09da8ac1bc25fcace4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json

MD5 948a7403e323297c6bb8a5c791b42866
SHA1 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA256 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA512 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 07eeced89c653e9d842f6ef2d5d4429c
SHA1 6a6bd5b80feeb0c5d4c36785bac5b7b0abccf1ea
SHA256 874cd825cefa50f069889c979e734ce21cfb453f43258cdde292bec3e00fc1d4
SHA512 09cd72f31c07b5d9087e3ed9b713ff8af1e94dbf43838233521cf5ff4846728d8d765a30a877aa18582f00a59856f95faefa30413a26b0dc347c69358c061f08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage.sqlite

MD5 655bedb1012aae029d035551a583dc91
SHA1 22612c364a04a084e7b512dec99fa25f688f35c9
SHA256 7dbc488e9863cac91390a35edb72b3c15dd098acded542b0c8fbceda149b0479
SHA512 e48f3016d60228f700970826dd969dc87b1c43d2a35a3bbe2132132465e4398694436c6457ecf647dc897f3191785e09b61bbbd5e54c75084771bab53e8663da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp

MD5 ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1 b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\SiteSecurityServiceState.txt

MD5 eab0c72a017ee94399398438d549e729
SHA1 e82bb33f77c475613ae25ec56cd4127932861aa5
SHA256 a3f2cc9dc131dbfe30b6c3ba9b6617b70358cb815136436453b2a56c0b1d8544
SHA512 cfe7b9ff4f2a939c4cdf6bdc166843e5f9c83e7938d23f51d9fcf53ba74f291d353e35b900684a5ef9129ec68c4fa46d970438fda927df0473f8b126db982bcc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cert9.db

MD5 c2f98149b1110410f7dfe5461dc3b72a
SHA1 43ddea531652643c050db05a0b1d4f328e08aa83
SHA256 e823cd3c732c546cc0f06645c5ad4ebdc229d93fcf13f4bc8f933e6cf157ad4c
SHA512 bad7e990775640a18194a35e54421bbe840a09ba4168f03439521ca3591bc5260c89f9b549e7b5038b2e596fca9d8a9319c1b8836c4ba35c5391a2c62d8628db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

MD5 9263b9b06eefe294065798b70575f703
SHA1 64e288c2b1fee90c484f9fc7c8051539523c1741
SHA256 2614e0c8696f80df661634089483218238bab946f2733a5fc2367a47a519fcad
SHA512 f3fb321ecfab8c79540907c06bfab57735b6d2e4561905995c48a2ed0b342e54791e3273f6be47a71a037fde55a4c9a369dfe279af4958abfac3e86a0763bb37

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\AlternateServices.txt

MD5 aef68dc79ad5f70453e819d30936df47
SHA1 3c87b9aae70e43e2fe100652ecf0a434e3ccd979
SHA256 a3f1c921d7e88e956d9fb7f77ae707cfecfc19881fcf51a7416d866d7085ed22
SHA512 24d890ab4a6846f8c61695b0898736bb2303980ba62725598d3a4e1f27c951f7b484f2813d3745499e6e655b99ab00fb3ff49340bff422de45ceac8cdeccd510

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 e621015a7d7167e049a7ef87dda33011
SHA1 1234452007601e23d40d3c647a56574a2895e3f6
SHA256 1199eb773ddfa7cd77cb035cd9c0a8eff00da79e1a25035c9d97e539a91551ed
SHA512 426749ba23184955c21b0b326a0e84c657bfa2485fdf8896b0165132ae6d39a224c103299267835ecfe7bb95c9f71e510f5b746553dab355289854566d127166

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\99ac3cb9-1625-4fb6-9cda-9a7907c267a8

MD5 ea332702ac77b01d07e6ba79874082bf
SHA1 f120e16bc85167fbc6158d085988c333501ab7d9
SHA256 c2374b6eac7164cd6e89ee476e595d6ace8f311f9843d8abd7aa6bbdff0b7856
SHA512 0ace09cb2d00fa615ae9283bc25b92cc0fe9ee999024712a04ea06cc5107ff1b90679b7f0c3358403f22ad48226ae92a19b228d7bebeec7405595ffd538ad030

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\protections.sqlite

MD5 49397db0486dc59d607907a086f40c9b
SHA1 08742ce9db9569062def08e99eea8470702feb7d
SHA256 890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4
SHA512 fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

MD5 2ea2ccf63de3d34426c417b56347b7c4
SHA1 b19ee7f5154ed2539a005e6c908e98a438c08810
SHA256 534ef0de00680b072ecb7f15591d698fecaafb159768f8cac0ce71db9fa06b97
SHA512 38800c8ae5d5425d1404b0ba8cf5fa8f7a54914090f43f56ef1fc8c30110774b70a693b7880fbcc2145e508a05b15db3720f85cb09eff7b8aef01d93d89b9cb9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 3c72727fd0fc8de571e094da4f685470
SHA1 47c0226d0981872d6887651c4397ead77babb064
SHA256 d8fba2fbe034c5f37cbbe06804ed0fb617571ba2885ac451826706168a1f14b1
SHA512 a5e2ea28f717d5615e044da6061938a647671913a32c652c42379959e16623d0b7fb7f8561a0a31eb927e001bac5c86e452e2d35c6bb65aac19a21ad0c7a32fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\2bab1ed5-ea93-488a-a84d-95d0ea388459

MD5 527c3e897f5c94616015c24cfd318b59
SHA1 9c9e09a0784c48fe270e11f3f13327c331f91a24
SHA256 14276ce9ffb9c2e15fe8eee3b5abc26f5577ce44906047abb070247f2261e114
SHA512 4b5c4f77ae68a6d46e46f8f9caaa5c15bd36f85bfadb304c47f9c49566bf1ebf0f0f497414b029d81d57b8005e1b2c757c478b74451d4c91ed3e875f34be6484

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin

MD5 938e7f54c40df127540e51199854b02b
SHA1 1fd615bb19b0bbddb4446215e4e870aee7b06bf5
SHA256 b79416fbc2b22d9e4b5351cf5ad48a541f578509732cb516e61ef77e944a9e5b
SHA512 842ca44de8f250baccdf025b2d77e844bc713bff4ae5d6ab925fae724bb9e358cfec86d4bfdafdb1cc6b9bd095623c198eae83a9906e08c2f80402907bfd0cbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\events\events

MD5 0b571fe4d2dd5a25afffc796fe7de526
SHA1 8b1037aff2b837bff10f538093ac6597f462d63e
SHA256 cc2e7766938fc213cb36cc97a6995bbc89c7f57a63e1f6ad148fe7156ca161ed
SHA512 a9ff887374851afd9b30ec136f5db4e0f3c9049b5baac1230eabe917bea8f44aa925eb17fe5ea2b76f6ea580b96c6d8f13165d630f1f5c017a5f2af23b771917

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\places.sqlite

MD5 1dc027911fa5ed2799c3bd9574828f32
SHA1 c8d67b3eb8125ff93ecd86dd2e205cb064e502fb
SHA256 66bcda557f57e1acfccaf41edb885c4b3382152b246e765d338bebff338ecf77
SHA512 3fcea581581196f289f6e4d776e116cd8ac8ba70865049fbb53bfaca2d12ccb238912113f3a31f16495f6a5c92527084f58ea167ab649379345488e8bd261130

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\favicons.sqlite

MD5 a57de717ccf5f96805087e7e19fd6ff2
SHA1 e27a714bb3c511af9a83c42513f2275b73a971de
SHA256 263f5c71e0b843120939c52b76f087c90bc2c9687feb25c617e19a482bef4af9
SHA512 66bdc27d997124b08f4006161ce35eecce64ac1746e50bb40dc0116636c5908da8a3fe6ac6f4cbd79975a7292c14667f2bd29a3121304d606e5ab6817bdab514

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\48B1BC74DCBB3D86B7BCC76C756CF86C957C604B

MD5 1702f194dcb78ac7b3c88fd279842da6
SHA1 95a861a19b0e4efb012927c856bd582a5226eae1
SHA256 9c83c23ab7f6143dc298a325a749f12554e524bb21d1f161ef66aa043550cbfb
SHA512 7072b45184ab0e1fc414e35679e8c083e630ed0cfa4ba4ab632a779344927deff382c44985b88ab9c4c183d073d0c4870a85fbcf1dd82b5697ac3bc5495902d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 76bc4136575ed2751fe9316353699be2
SHA1 ee9ef5a7091e6649f6fefc49355832b9c3fadc85
SHA256 08930deb2b7cd44f7ba9e9cb7ffe37ec280ec175ce874d96bec5b5c35b12f6e6
SHA512 27c077707fcdaa4ca419e7840e9c9925ff2cb7337524d93d60095a63ec9f1c29d858d195b43ac8a9807cceacea23510cd93718df23139ad5a2f894505cf3643d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 849b26c50dcf14d008c275d645443990
SHA1 9e0fce4d7e9b30190d6820ede6d51ea4c9c3497c
SHA256 9d997393b614dce27a643c7d2765e99cc4f0dd7adaa6889e005a88dee5eb310c
SHA512 76c37ceb527b3684ba4b4d8db55cd7d15d65bf4919e9ad4e49f482329b7fccda8e639b60160372f9276d24d63124913b93d881da30b7ef95ca207df8defa0734

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 26854e668a6b4fc70cb48b3040ba041b
SHA1 2aa965cc84e6b139abe2d59ceb131df757672fcd
SHA256 b64d5297dcb97efaa04ec7f02aeb51c6ef95acb50377af567be3d8147703acba
SHA512 5c4215e01ed7426af96952629e41751ee38948e05bb2bf1b1f8388385b100c29297f675f13152a6460d3af74e960e67bd1c3b0ca0ed05d0ac7a3b79864147af2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\23B62947A253F1EE3B8C1BAC3AA2BB7D17B5AA37

MD5 d321bd242f9903aefc98583fcbf58828
SHA1 c54a4c77c06f4c9ada62001cfd6b901eecb7595d
SHA256 44e92854fdf410d08c816191e833c14be560acdc72c2d6a17ed0c77902885dd9
SHA512 1ae8e3bc4b35773f945cc4ca31eae3482381006780854094a99fda8150068cdfe8d45ffa9bf18d486e9e6850745dc3ddc1688fd217174beae581e732c12e7a10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++discord.com\ls\usage

MD5 2c82ed5aa0b78e9fd8b9f3c55d5181d7
SHA1 c1af525b16e8b9fda5bbdbc0bc4571709ee49e86
SHA256 3104fe7d1fdbe90217153fee7df9bf5710b54ba52fcc824f7fc33385c4a67e9a
SHA512 124c331622d9f5baff64472926f21e5d2dfa057078bbe4b612567a272e465e422dbe77baf2d4ba9121b04420b2ff0572e30f38d4b2fa159fca0fa50ad30e75ac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++discord.com\.metadata-v2

MD5 11ad0ca058ecf25214e75d67eea49c58
SHA1 157b280d05d8eaae3eb839867b92b8ab9503998c
SHA256 d4820c2824a80bc37bb7538c73b102dcd6792d89aef54649b6382ac348436606
SHA512 2cadc8f33c48d721b2bc5368f2f09838854bc7cbb5fe188913eede3c8f5ef381c99bebad7d39fc32b4de01269accd6399185de47293396eedb25f1d38f85fa3f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.mediafire.com\.metadata-v2

MD5 98dcf2946cd7451ccfd436f91d73fff3
SHA1 9c80fbc084b382f62fe8cd0213f94861f998c1d5
SHA256 30e57caab0448eea5e24ee642a5e796042b474b004dd14d7d6313d89bcf70e7c
SHA512 fd78c8c208e9f9654204ac85ca41022e0889a2ae2495f19b7005beb93ba50c1dbba68252b256dc7e681253f2f5529fbb48f9c6419882d05b4a157234a78c73c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.google.com^partitionKey=%28https%2Cmediafire.com%29\ls\usage

MD5 4c428e195a2fad0b912480f1aaa48bf3
SHA1 52a8ec75e9ebe26a80438cfa5b234ccd96f24621
SHA256 330e0baa0683f9a1187cfcee449c80c8d142c70ed58f6ed5bff634f23f399a8d
SHA512 795d309afb1c8bd2bb3ffa40ad5632fca3a1a8926143a1592a051ec8667bddcb21d0540fd33a898e4f28bfd65e13ae96693d96b11c13adcae09ff1f415a13ef2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.google.com^partitionKey=%28https%2Cmediafire.com%29\.metadata-v2

MD5 7f55bf805d9e9cacf88171cebf25a396
SHA1 fcf4b39863ca3fb3c92d25508a92c529d03471ec
SHA256 8c71a1916173dde4086331c911afd19d32a206e75657877bd87e09754b23d4a9
SHA512 111457a0152aaa6966d07ecd1dafbfd0bfba0c6370088b4deda5230e041d231085d57e90119d28afd2602a6b84578843d34c8c8fdccb2815211446ce22fb0a67

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\F7A7E74236F6C480FD83B367204B1A57D1026A6C

MD5 9e948c0b12caf42b1cbbe92b73381268
SHA1 803d57fd7b8c67828e50d5125a6682b967354945
SHA256 ce0a2cccd43a5bb3293a0e0dae6cb0a3f064700d6db178b79c09a6139ef09766
SHA512 1c63c3fcb3aed8d0fd7b42b28ccc889176960cc46892f805e793fb4bbe6bcb27ba455f078f672b9791597fd97c9e71dd4439625a52001c1e7615b4c947711306

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\900FBFE87B1218F351BCB8D705AE443ADBBF5DFB

MD5 446f3bf0bc08fc35fb4098cecff0d62b
SHA1 e3cb0a20dd2d59b52c47afa768cb3df189ed4483
SHA256 5abf7a3421137bdb593c19cad0f5625a02bf634b3fd114c42c5a2680f96cd89a
SHA512 3bb6b56394e76d897a694b54f6bd9ea521579ee814cbc988c1eba8d35b978bf60ac359939d78db5260600631e6a5998864045803da903b46c70af4d6af3d7454

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\A7F7359EA34B730A16B8D8B0F850E5E530DEA758

MD5 cc996c8dd93b3664b2adea2d66384f34
SHA1 d8a1e8eb1b6218535c36313dc0923a9ede3e1545
SHA256 a38d2f51338a88dbfc898f5d3568f1fbab0119d2653319dbd9620a4e2059d221
SHA512 9af2f10796665da6ffd77fca847b94d34c9cec451f45fae84643be49cd699602de412dc5f3a95cfe047a238c426fdbdfa262e83ec4c2122298aff4e6fe8b1b79

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\158AD7C983028871B39A364A7FFC89B40959B3C7

MD5 440ff2c843b84c6ce4bc51962c33d3cd
SHA1 2b1aa6347558ccd8c0aa6dfdf469238b1fcb2baa
SHA256 b9746836c2ddf72a7a972f9d916613bd410013600d93cc52c68a80bc65c99bf8
SHA512 a60ef79ac508af20a151acbc79c2b4e93b83ade65deb797b3d4a44f602c3b5a870627e41347a2ad6eec94c1b1cf69ebf173d2251f2a3540c4d30e5208d1e5228

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\E5E6326F948929DE089F4BB1580A84A65963AC14

MD5 7b06e246edbb712558ae6220da480236
SHA1 f1b5adde8e53c10fa8d75d87b040e021dd780617
SHA256 5a48c32f4e2883c67e47e16b0876d9e65d24fbc255727ce9e4cc58d5d6c0342f
SHA512 0358c01e3adcffacfe9a0fd2f9be5f902ad4876e0714637a3a987d47fc6c5538ca7854677dfda403518e07841a7fa9dfb98a2ab8e9c8959e4f7774b800e13ba0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\2856425DA9EF269054023A68477763CB10D76EE6

MD5 c73acb49c5582cca0bfadf2e04c2367e
SHA1 c337de0a7f114b3a328b64325d78b9095d9d94b6
SHA256 023ca3f29f2bbf23c1ab8571acb46f88803250031201eda26e9d93642db0d790
SHA512 a09e81b4000adce02e79162d71ee665665ba24db42dc6101bbb28de64874d592f5861c8d93ef237de3cc76436efc55b12d8517f2f910f9af33c943891d8c073a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\0002B2381D3A1F000DCE1061B3B9F1B6652C3EA8

MD5 2024c82f39e2edac969f5d0348da8822
SHA1 fca1f88739ea761938d604c8bd53bdbf39e0fafd
SHA256 111d765fbf03c1c3fbbfe6201ba4365b98dfa276887e83bb4a383007671cf5d8
SHA512 a7490d2216b05c710c71391a9cbdc6d7e058d6f18e1391855d437e311db0589d58041c0b3bf9d5c17f86436801f198d506f9a14c2ecfcf75fc4f12883a945b6b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\9EDE65DE9EA3E2E7938CB73264D5AC3B428558F4

MD5 8bf07f4490f5864b06aa4badbefd758e
SHA1 b9dfeabfd03ba322494ebc2030d5343c9fbc80e1
SHA256 994a34981ccbcefbd1d7d1825199b9af7e80e58d0e918a51ba3dc80490fb7306
SHA512 c9c3fc230b46c00342581a3fb3a910afe1a7e90ce13e1617fcaf58d0821f22dc607b3005c93ad746c6d50370ad3cc12846f985803c4b9794c22ebac68832bd8b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\8BD89F356F1FBB3CD03E50A248150834CC46F598

MD5 bae4ed2468d2ef56bb0592970850b288
SHA1 0fbbad182fcb739255c4f9c700c23e3f1c2a94ac
SHA256 50066e54b6312a7f7002faebc262e543b27a4f191e2c04985687e26cfd386d21
SHA512 c539011541b37c2c1fd84c2c202d4f958bc17b723affe6ab7260a34c2babce0e52bf8549cdaedc941bff4618e35b7c6387448c306495769a08dce08015801a37

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\72A08381E9E827A11B49C3CF07FA81F329F5F862

MD5 f7e871aa4e04a9f8b1621bedbe4648cb
SHA1 669484f7c0325ccb719523608efaa7c68df474ba
SHA256 8911f15733a829173c4c309d4f74de79f5519b8bcdb3face4a8d29671e396cb4
SHA512 efcc87bf3cf099343a2aec6d8f0b541a1784c585170f7cdbf98fcead92e940d3d4ab0aac823326dfb475d469dce5fc7e905b63cc1d884817c379b61849932e17

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\E88DE502470FD31E64115CC94E96561BEC8B166F

MD5 33184afd2e5e9b123d56b6208d60b1ab
SHA1 3e291c56e4e5889de47e0ecade2d382765079ff0
SHA256 a1c0839e24169f362a00f58604b7b1441b6b6c9299eab1b3e63aa38f54d50ff7
SHA512 7fafa9d4dee9d99ba38a051b494243a5b51317728f7baa855ba80323b05fd7ce7088e9cc349417d992ee1b4cb01c283c8aef8e11a04e29b9aa657d6d4db506e4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\71B38826CBB38D4B67D21952618CC7AADD8620CE

MD5 30dc28de472b1d313e9c2c901161ad13
SHA1 45684cfd912d0e910898d4d6817d7e0007cfc77e
SHA256 843fa33eb9a7289a818eaceb720c255c4711274610695e5cea0de211f00fdc67
SHA512 8fb9e73e87d1629babe64491db58b0938fb6d6228002d58dbf29f786fcb9fd115407ae114c85d72ad61baf1d482527e825aaa898a5a9b8d520a8a604fbb74d51

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\F11245EB3A32C7C4503066EE915EB570A0C0F5F1

MD5 b3c3062c22a7c591613bfabf22a3bfdb
SHA1 e77643bc4b145840b6942bd3fef99423eb3f27a9
SHA256 75e7c1a6ba8bf865636b488c2df027f3116379d7b4fb4e72ffe8112d1da6ecc3
SHA512 ef8dea54dc5e43573b7b62e6f258fc1a6078aa28b883a41f2c3421a22e1cec587053a0616c78228536c8711dba1497044abda2821a97a70f8d97b327cdfe285c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\FD1E4A06BA076A282C36B61C8AB1514F69A49C0F

MD5 2add35bf26dc7dc8fa89b07605ac75f9
SHA1 2b4e551f53265d44bca14eac997857d681527553
SHA256 17f0e2c298477420dffe41f87369f0f59286fdebb4a1347f9e915078b71b3727
SHA512 85eaca5fd3f31f2a8bb48bccede2b33979b128906ff40fdfa076907e09eb2de464b4064e242d4bfd865c25cd875ee54695325267f43912760858606d1249b1eb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\D589493B32669A64F15AD72A940799E03BD11B70

MD5 5d3553b7577efe7491aa2b2e19e6c2cf
SHA1 bc0ff4f033ecb3f7b11b6b37d09baae90e85ed65
SHA256 7b3a2fe4567893c8b139b1f9d9f8c1e569d4ca77dc3d8b66020b2f11f90381c9
SHA512 bb697c1427540896c5a07b902cc10d851816187af9ea77ba181e454da8f57b113a1c897bb9c01d681c4fb57fc7fd272c2ad0962855ce0617c42f7ed0434fcc34

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\619A564A33795F7DF5E789140FA4F92709D55373

MD5 36a58cef5eb7296fdfec7817f2e2a7b0
SHA1 064c7b75e64c62c5a3e31b768910e778a24470ae
SHA256 f4b2ac5bdd67c39b69d059894b44a84e9905c4c45a94a970db0b827a5ba20c48
SHA512 a4aa7b8f7bec2b0627e3d53aa2ae0c0c512b59acf796f015b5c468d3682f4b50a8e2d9ff654b470c4c2f37f3a3d92701f5285a5c7044b276fe6a1bcde741117a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\3A5E7B231D9E677D2C296D968A601E675EBDB376

MD5 892f2ddc7f4182e4dc7460d430cf970c
SHA1 cca403b2ea2a581ab65473d46624bb613b1b4b35
SHA256 5557ab9ef79f143c56d644b5c8e3b257f37a95f7f7652c1136521fd5748dbea6
SHA512 ac98ff136965f298beb5b135a831b922eba31cb66bac1c092357c9c698fd8ad6d7418520e7828a1f43f0b0b74a997a2a741b2745b9b16c750ef4943571f315a5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\81F3AE44C123A9246482811B129CD90660347DC0

MD5 052c0c212d9861ec67ffa6fecc1c2a5e
SHA1 6e6495c20ccd0b875a186f055813508a7d06b830
SHA256 180308d44161dc877d641ad67e5deb74a0c97306b7f7882dcefa4dd9c7393028
SHA512 546e11bdf327d6f3a56b4423ed14696167a541e5b53c5f9b6216c7be5a7cdd64f2298fb50e103cdce7aafafc417b7f0b7280c3ae7497002b1f5d2a2fc7763db5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\BB09B5C01DC42876FEAC8D1B5ED711F0333ED40E

MD5 5744c25c5f2254901deb7654ae49bd92
SHA1 df8726f6eed2d2141c0d0e4512442be70e09ab04
SHA256 f830d82d8e32f37994bad4d9f8447b09cb27d714ea7d2e1d04c11e4b0dbc85cd
SHA512 f3be9dcb81ff759d2f8c3027ed62ff18bf517965dd411444677f9501f92a3dcc45793e1ee0c1c5d53b8708912f458eb26d3320a676b237c4b934e8405e120995

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\62AA83B82F0F7302EB55A9D7994B8F3E5487D921

MD5 e864a99d45bb1259396fba79ab108d87
SHA1 efdf2ce05fe0b10d9d54af2003c5ea726e6988e5
SHA256 48a1fb0733116f89bbdd351eb2b37d58abdde71edc6634f443b0d51c46451790
SHA512 3df1f0b8c3c8840940b89934d81c8d69e27524cd9f795c0cad601e46eb77c46f69bd724d8644cfdceccef3e42dcae3487abe36544b1206d88e19856cdd41356a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.google.com\ls\usage

MD5 0bf7ca950cfb7d099873904c3f22aac0
SHA1 ca2ce4e66008cd2ea1190172aacba3eb11748373
SHA256 52d35ddfa1efed8b2b2c794b8787d2bba8986abb604e585f7b9dba374459881e
SHA512 2b77fb0b9763c80c7fd15606c4c0d3533d52d954596526ff734cc744c9c0bd9323903fb2029c479de73685a737ace5a69dad17741941e23405da06dfff9350c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.google.com\.metadata-v2

MD5 3586d2be5b8a706ed3bf669b9c8dd5de
SHA1 59d7419fcb80d42dd33e015d85d30b3ebf7d3ee2
SHA256 b386281d0cda3bb2ddf701ae5d958bf5c9f26c116ca57b5034dc81e653c7654c
SHA512 4c88c563b2d9d6cb815d3273db4b7eb04ba3fa7e40a76306b32b8ce5686edb8f0857ac784991a922e7eb2f5951325e891ced4d60911be18a392c71f8f2433bc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 73613b0ddd35e926f57da16b5f816e94
SHA1 3d4cb7895640d06949107d2110fe277bfef1a822
SHA256 ffc2a15c22361fc2189876c5848c37bc19ef86a2b2bd19a4de92ed232a3d9ed0
SHA512 add64af07a99eb35e2f2ab6b38600310655f043d8bc8ab398ace653190e4563a14ee5a4c81b73ad4810ce972525f16a34378dd468397716e0718735330ebe6a5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\7943793AD6EF12CA229A1DF7A721B44C210BBC82

MD5 cb5681784e976e3b9582cced278dc927
SHA1 ca8acf909f227d66ef26d90040479f093be43747
SHA256 a16255289325ce65ac2975952caf1b1798d5b45709eeb5cd6ce1f3f3f480ecbd
SHA512 ff39c6b9a9a0febb8fc3591d7532c1b5f84241b157ad476777bc6f7b5eb4f59eaadd41e6ed65669d51d677863f55cfe4c702d24e238805806de25c6a8b625407

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\F7A7E74236F6C480FD83B367204B1A57D1026A6C

MD5 5e52ab61535d02fcc90114c24cd4d9e7
SHA1 a8158d9fac9d79811e5fe510b22154a938386022
SHA256 f98f8116cd11852a12e88c5a1e74fc60ab5eb426e65e48262b4439d65ce10558
SHA512 042ed55825eb5f2260aebad202e76026bd7f3e5d92e54e9729c704fdc4bfa4c44cf15bbc6dcb1d151553176f3cb81cd4a08af75b8f0b0e8ba57a408b91f4ad6a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\E5E6326F948929DE089F4BB1580A84A65963AC14

MD5 f9266921ad74c1327fff4628d9a208f1
SHA1 76102166cf485ae1af3bb2ec3532e212439f4f82
SHA256 4378f5f93396208116b0d9fa441e5178c526c0c4e7a765a51d38adccdeea2ace
SHA512 d1f93808e44df60ffa9abcd19e868fda523282260ae8e989329fdcabec59a090d07069e14e4717348d26bb09bd11b169ec4bd9cee8e448c78e0ed881b12cffb0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\81F3AE44C123A9246482811B129CD90660347DC0

MD5 fa8a9bbd30daa9e319f2fb73097ab3fe
SHA1 eb6365e566b39a4ca82636eb975021e48912bebb
SHA256 d4279da67cb2e018edba67588343da623c3295fe327d58f2f84ff2507daf3721
SHA512 ff386264d63df2ac154ba4850e5d7c4222cc4d72f29415cdbda096aaf0ef70baf51b587951d615fcea38226f987cc54b7b6e96c05980ec1c897d8708c997d246

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\BB09B5C01DC42876FEAC8D1B5ED711F0333ED40E

MD5 0a4830d7457ab4b9d2aebc636a71e614
SHA1 afa91ba9049839cfb7fe455fad24cb6f8da8bf08
SHA256 95d6b59d78aa3cf1c2a4d445fb2a05e821d14299e0eb9e8253c1985fb8c8ad49
SHA512 987f2fc5d7bee0453c52a7a759e712f984667c35f7ef52050e630f6c2525234339dbd2f00833eacacf6b261ea081fcd6fbed2ae7886c71f872feec37b3a9673b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\0942A70BFC6BC63E8192E982FABD5C46F9458AAC

MD5 c3c132c6066bfe097c4a56e5aa8e290b
SHA1 153e3cb797eb32c3631d1056ee740e4c9f8f0767
SHA256 6f8dfda76ca2249aeee90e298d2f668f3ba209d6b95ec38f23325ac57ddf4447
SHA512 a0b015f0f0c9e2d300ba5f30802c56bd54a70ec290cc48e2ad4cbb5b2b72030bcbe9254950883cbb51033a4cdc5912fe98da40d92955b4206f5a58a3562caa03

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\doomed\13920

MD5 3f7d2e964e9523abae573eb35393cd18
SHA1 85d692c2f7a3ccf0c90897b9e21ee38cac8d0b03
SHA256 733653a282c2d163bc48613691acc41d57171b86bc169ad9564e1b5d298ae129
SHA512 a26ad75d214a3a322cd1300b2150c416a27872c98d57a0b5293f8e4612679ab1043e3817f450b61c76749f9ca49783555f075c571f05de4135a18891d25eb1f5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\A7F7359EA34B730A16B8D8B0F850E5E530DEA758

MD5 03db5518eb2d7e14e3416d9018cae5b4
SHA1 ebf2a5dbf333f1e0942f46b6cbe7c1209500cfe5
SHA256 550fd24e1728d96c40364526d2bd445ac9f14aa99f61e26c4885617d7886a599
SHA512 afcea26105cba366ed609747dec7187216d153fe21e54995f678ab7b308f8428de29b3b2d67df966b419806d147556de7d31b96223cec21bd208f3ff060430c7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\D589493B32669A64F15AD72A940799E03BD11B70

MD5 050b26df9a50c6bb426740777a584db8
SHA1 14724fbea7f0246274c79040ea28f1edce555081
SHA256 e651676261370860ed9f04238a6168f32490a4f29f5895fc90d5b32def96438a
SHA512 260c6ad2ba22627694bfdccdf4abcbfc167f69d21e95398bdd1f1378f04ae9c6c811e22d731dbb320fe8f670ee0acea48d7df9613ae86b60d91a385fd606d4b3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

MD5 f098353731101d545c35ef0fe5e7da72
SHA1 4f9451d00c1ac84aa99b53bcc226e2cac64c2727
SHA256 323726c06739a5d342c5a834044609e0a846aade00a52de600f5fb8b395888c1
SHA512 6a407d5a8aa5c460c2c7d419028309618a68d3fe4a5a1996b664ec850337275fac7030c213364663bb15935200f8c7decfbb45b996c75f40e1384b7dc5b748e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 83f3449fb50ca564a9f4a0665bccd031
SHA1 cc1d970f84c48535183f3086c5e3ad96a57e842e
SHA256 afe899bd56fef4bc87d04cb776d209f77f28eef161cf4e93172394b5b88af74d
SHA512 7e6eb55ceeff10828b9a7a56db2b5db4d31dab109376ba1f57147724e959367b296ab8121bd1e8724020f6e62fb2f3761383f2ae2bc017d7e74ca62fcd9dbf04

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\crashes\store.json.mozlz4.tmp

MD5 a6338865eb252d0ef8fcf11fa9af3f0d
SHA1 cecdd4c4dcae10c2ffc8eb938121b6231de48cd3
SHA256 078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965
SHA512 d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d0387d10f144124dd96bb679872984dd
SHA1 0c912fee5248788d4a05ba9c7333df3c7cb3493b
SHA256 9701a4d9b72997572b7d623093ec4fcbdd00a5ee28ff618d1fc2fc98cf082a4a
SHA512 f6a032f75c5132c95238b280aebf649adfcfe9db7969a1965579ec803d3ec1df58f72f79182ec7be0ce66f82cbe0eff9ff936b59adf350551016dd880070bd39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4c4c44d653d26c6419245eb3b98164ab
SHA1 6e9de416715166549dc4cac7f0f3ea86f87e84c2
SHA256 41e8f6cedfd2d99b01a4888187996994ec29e134ccea4beedaf060bab9673c2b
SHA512 c894d5a4d0ff9cec731516b0ae8546d536dc775bd5d3f15b0599c96c2f326c36c43f3f75ec3178d99b537f199aa7ad428a2778c0bb92532872f92184e603b21d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 12f624be21b48fcc5af85abfa13c93ff
SHA1 939105c81b85e4d3f9fa8e8755d2a6b5b6cfefdc
SHA256 20d963f6ab8056db386daa7c140dc02a4ee360e693c92f53357cbdba49206244
SHA512 a26ac8b2a359686cfbcfaa71d2a1207210a3ebf3e853b5905e95429dfe6dcef9456e857d06a3de7d50647f1d1fb93369aac221fc3116af6a00d5ab45e74aa279

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms

MD5 3915702a6ae7c60d71a16c652690a08d
SHA1 b70c909cff9f5b7bdaa3b5377f067f200fba67d6
SHA256 7d1287368f52fa22832f426d9f4423f89c90c6cd6bb7fdd62384c8d937e424c9
SHA512 48a5dec0f4be88d3c64ef5c97edc7f99597cd33f86eb72a9a656c4b5fbc462f9cbcde3abd8360bfec8732e510c4d5721853315abeda44b6eeded17ce0421a75d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 22d292440e0baee087d5e1548d8dcd1f
SHA1 5e5aa1dbed985529ec7c55b36235dafcbf7dc9bc
SHA256 d12b89558144eb13148d94303818fc91bbad99c4977c34c89822c5e3dd03a070
SHA512 0a740214982453c8892a9f5ebc778816d90a423376885463983ef72a3ca60f4cc18644e2790b3ce38969306fa0ad212314a5a23783839512185949f16fb9016f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\jumpListCache\aIJ838KxbX4qpTln8T3QRA==.ico

MD5 42ed60b3ba4df36716ca7633794b1735
SHA1 c33aa40eed3608369e964e22c935d640e38aa768
SHA256 6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8
SHA512 4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ee708d1c7f7922ffa8d6cb82585476e2
SHA1 45e05558fe69336c599e49b30dcb26a5abe80e6e
SHA256 e5c8fe33b1426cd45a69dda31c4e8959c01189851c1b867a734b65b6502396d2
SHA512 864d0c79612a5ad51f360f0f71d0ab6373689c07b5fa2feccca03a6602ce66c812e1482112697937f8b158afb598407b050231d4ecfde65b7002ec90916757a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7d797dd5efca20d6aa4017bbad29cfba
SHA1 dc0736535c95f5e5e05ffffb553ee7bfd16c6340
SHA256 52153fa78eff476d28bac68c684eecd24627ab4be10d9facc04525c69d40e02a
SHA512 f6d212a391fd0af8dd144139a5142bc44e1237c63da9a86a0131a54d7903b0c1856a7ba272ff4e9d50dc3d6e7cb48c54c9cc808f86692d913930c2ac7ed843f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8ed99c45cfc4f33628e252e1c96d0463
SHA1 01ca57894c4f09adf3c329cd29380916210a7c22
SHA256 9efb43e3ed3d84a3b62c24a1965841bea0a6b34435a16433d93092d79dc0600d
SHA512 c27d35f7cf32f24b7e78045a4c97c8df239a01fd55d5ab7942b7cfa5a06d90d96a7a27d9edb4ec7ce227e61572e368444edc1980ddac4c1675c25bb77a4aa676

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 7ed1254ef23fd72a2e8ec7b928c6e178
SHA1 d1b3126b6a7a3732926261212c8fc3d6a35fd897
SHA256 d829d70620b6b1dd51c9a8ae3abda85ed30f974797712278577da3a71bb23851
SHA512 4fcd703529d5b883c5a01dfaf8719b688e4eb3031d12e1a4057a619d42fbabfebea496583527f84ec046e868f7299580d85d1f120ec179f375fcaeab94bd5dc8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\targeting.snapshot.json

MD5 d2b0c9d2b8a9a9e0fd497bb4b74f0e28
SHA1 33f3b30639a13a6513b81b3c78a0586e06a652ac
SHA256 ef322b0546afcf1061c395b45e13fbd0d0bf3e7e9ac33450ba58616d21aa1880
SHA512 8863b9e28bf3c0114398a35a7f7dcc664552bbd14f10cc0c0dc1966b150d9f46d3b47ee934c612258fc31e79674495f4cf3032d42b35c48b644d12c5b62631e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\xulstore.json

MD5 d4672542ca89f43f07e294bbd3429e74
SHA1 7f37ce3b5f59ee5a7624462e3640050ec0264e34
SHA256 d778d507a0069608bb5a7748649f12cfe71040e2da18501f6ad952454c751d18
SHA512 b5a3955b3f7baac350be05a6e24de104ce2a3dcd6cb479d199793cec415507e87e7edd52d99a3dde8f615b0c60c6fffb16b9bdf2b1ac8e561cdab7b6a3d3a7c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 aa0c80df61a81a954c2cfa04799390ab
SHA1 7cfb62e4453cf18a2002f524505eb087331aed7e
SHA256 c750ca15e1abd5ce86fa8d8b131be808923c91a0352e837913cc678d64c8d156
SHA512 7c25883acb8dbb85a59dfbe8122a7e94c3e5d127d3f1e84ac7f36871058ad4d1949139e5cae58f3058e0370f3a1f4196f5df48c300e9ff13b91e658142c81821

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 17:24

Reported

2024-04-20 17:36

Platform

win11-20240412-en

Max time kernel

600s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Auora.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Auora.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\CLSID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\OOBERequestHandler.OOBERequestHandler\ = "OOBERequestHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\odopen C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ = "IGetLibrariesCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ = "ILaunchUXInterface" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\ProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID\ = "StorageProviderUriSource.StorageProviderUriSource.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\OOBERequestHandler.OOBERequestHandler C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_CLASSES\ODOPEN\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\OOBERequestHandler.OOBERequestHandler\CLSID\ = "{94269C4E-071A-4116-90E6-52E557067E4E}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID\ = "BannerNotificationHandler.BannerNotificationHandler" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ = "IFileSyncClient5" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\SYSTEM32\attrib.exe
PID 4144 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\SYSTEM32\attrib.exe
PID 4144 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\System32\Wbem\wmic.exe
PID 4144 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\SYSTEM32\cmd.exe
PID 4144 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Auora.exe C:\Windows\SYSTEM32\cmd.exe
PID 2492 wrote to memory of 1012 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2492 wrote to memory of 1012 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Auora.exe

"C:\Users\Admin\AppData\Local\Temp\Auora.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Auora.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Auora.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Auora.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""

C:\Windows\System32\DataExchangeHost.exe

C:\Windows\System32\DataExchangeHost.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 225.88.219.68.in-addr.arpa udp

Files

memory/4144-0-0x000001417A320000-0x000001417A360000-memory.dmp

memory/4144-1-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/4144-2-0x000001417C800000-0x000001417C810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1utdhdr.byp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1708-11-0x000002012A4F0000-0x000002012A512000-memory.dmp

memory/1708-12-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/1708-14-0x0000020111EE0000-0x0000020111EF0000-memory.dmp

memory/1708-13-0x0000020111EE0000-0x0000020111EF0000-memory.dmp

memory/1708-17-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/4088-19-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/4088-20-0x000001A2A5B70000-0x000001A2A5B80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1 fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA256 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA512 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

memory/4088-30-0x000001A2A5B70000-0x000001A2A5B80000-memory.dmp

memory/4088-31-0x000001A2A5B70000-0x000001A2A5B80000-memory.dmp

memory/4088-33-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/4144-36-0x000001417CAE0000-0x000001417CB56000-memory.dmp

memory/4144-37-0x000001417CB60000-0x000001417CBB0000-memory.dmp

memory/4144-38-0x000001417CA60000-0x000001417CA7E000-memory.dmp

memory/4144-47-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/3408-50-0x000002D735B40000-0x000002D735B50000-memory.dmp

memory/3408-48-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/3408-53-0x000002D735B40000-0x000002D735B50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bddc96a32b9ed8fc70b141ccf4a39b2
SHA1 0f33c0699da40a5eadcec646791cf21cdb0dd7c6
SHA256 cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132
SHA512 e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

memory/3408-64-0x000002D735B40000-0x000002D735B50000-memory.dmp

memory/3408-66-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/3920-72-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57083a8e45ebe4fd84c7c0f137ec3e21
SHA1 857b5ea57f7bcf03cadee122106c6e58792a9b84
SHA256 f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40
SHA512 4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

memory/3920-76-0x0000019FAA020000-0x0000019FAA030000-memory.dmp

memory/3920-78-0x0000019FAA020000-0x0000019FAA030000-memory.dmp

memory/3920-79-0x0000019FAA020000-0x0000019FAA030000-memory.dmp

memory/3920-81-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/4144-84-0x000001417CBB0000-0x000001417CBC2000-memory.dmp

memory/4144-83-0x000001417CAA0000-0x000001417CAAA000-memory.dmp

memory/4728-87-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9db2bc0a0bdfa296036c380393d879e6
SHA1 671288bb74f568effac2199c9213cf7e23a31ef9
SHA256 cce5cc392ad9a82edd35129076da6bb2c3ebe85e158efef8ee7740e9e722c678
SHA512 a1331966d5669c465ccbfbb588d8e09d295aba56be1e0bc895966da28916bdfb2e3333e24f48a54c68f3c3af0f78ec70cea1e07ec2e2647e154d7dfc4d412fc7

memory/4728-97-0x0000024150740000-0x0000024150750000-memory.dmp

memory/4728-99-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/4144-104-0x00007FFD72150000-0x00007FFD72C12000-memory.dmp

memory/1532-105-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-106-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-108-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-107-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-109-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-111-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-112-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-113-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-110-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-114-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-115-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-116-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-117-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-118-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-120-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-121-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-119-0x00007FFD50E10000-0x00007FFD50E20000-memory.dmp

memory/1532-122-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-124-0x00007FFD91DD0000-0x00007FFD91E8D000-memory.dmp

memory/1532-123-0x00007FFD50E10000-0x00007FFD50E20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 35375f95b1430c8b11ebeb931fba0dda
SHA1 5122d139ac357db969c191b941bd479ceb9dc59f
SHA256 fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b
SHA512 b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b

memory/1532-158-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-159-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-160-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-161-0x00007FFD53030000-0x00007FFD53040000-memory.dmp

memory/1532-162-0x00007FFD92FA0000-0x00007FFD931A9000-memory.dmp

memory/1532-163-0x00007FFD91DD0000-0x00007FFD91E8D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 8cb702e0a6e0514253e5a293ec06bfb0
SHA1 d221ec5cfc1f7808827533afc50993f54ede59f4
SHA256 6712ceb76d7b598bd73e7cf6eacddab62a67ed8e0febabf9f4fd26f94f5d9532
SHA512 70e0c03e124823cb0826c4f9236dcaee883d732b8062f8ea4e26ee3b70142f69164dcdbcec74c1b1ca3cf07cc05055156b3a8b192b10759d00a18e272a3332a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 002a548bd7311e3171689d577cd2ea34
SHA1 28439cbee475bed74fa2054c74bc18a879622b97
SHA256 0057b81f3c09f24f605b25d130a90b6ea4c3a60c00afa8950fafa122c54af55c
SHA512 46963e6cbd0bedd8f6a406e40908128f2204889fd2d5e3a87ad3e1cdd868d691ad5f6af5648394d1bfebb1f9c8c649645fd9d9fb120718d30078de0e58f8da6f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\20OIFLVL\update100[2].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 af28f927a82be941b0508ae0c893f364
SHA1 d0babd73a22a6e3ccadd024409abe1c9a432da1c
SHA256 a7c2a643c3dc4d5754c47ed84b1e33b769a663f96ac580930a3c8715c4b5a4ea
SHA512 12d508e5b434f14c62ed2e6bf285f37c6bd123f5405f854160ceef9a8c0bc51479f91aeda37b65d96aed96665fd3ec37b924b3b2ac2867c6a3a4902a33e3499d