Analysis Overview
SHA256
d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
Threat Level: Known bad
The file Opera.exe was found to be: Known bad.
Malicious Activity Summary
Umbral family
Xworm
Umbral
Xworm family
Detect Xworm Payload
Detect Umbral payload
Drops file in Drivers directory
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Views/modifies file attributes
NTFS ADS
Uses Task Scheduler COM API
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Detects videocard installed
Suspicious behavior: GetForegroundWindowSpam
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-26 13:15
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 13:15
Reported
2024-04-26 13:26
Platform
win10-20240404-en
Max time kernel
599s
Max time network
602s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral3.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Opera.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b8b6a935dd97da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b9234432dd97da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000077be5bc85fff0f41b198e57ac8b8fd556f949a8d834d04243c3e36a10818c33f9f86645be44698351fe2e4a6d231d32847088fcadd3e9ee4169c | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 69055f34dd97da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Opera.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Opera.exe
"C:\Users\Admin\AppData\Local\Temp\Opera.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.0.785884306\520282606" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1624 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2b27ca1-1d07-4130-9b46-2d90e87c56e6} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 1720 1f2931f4d58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.1.114254307\1143745263" -parentBuildID 20221007134813 -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97135303-6f31-474e-b0de-7fc9643e4482} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2108 1f292b41958 socket
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.2.135195726\1258005419" -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 2968 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf445491-c395-438b-a880-e3f76ce4fac5} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2944 1f297197558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.3.693188196\2020291680" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3408 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca22dd52-3dad-478c-90d1-935503a1fdcf} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 3452 1f287e61f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.4.2076861460\1814433807" -childID 3 -isForBrowser -prefsHandle 4304 -prefMapHandle 4296 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d24509-16a4-4d4a-bc21-c7a99d73984d} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4320 1f29921e358 tab
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.5.784412914\1526721620" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc938f41-17fd-4a76-8870-7f37287291f8} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4800 1f287e62258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.6.141288439\352932363" -childID 5 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76de6abc-bcb3-4468-ba5a-dcc2db041487} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4884 1f299496758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.7.319893757\1180504177" -childID 6 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c5b81f3-2add-45a9-8206-3932dd707e78} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4912 1f299496a58 tab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.8.538590279\47800966" -childID 7 -isForBrowser -prefsHandle 6088 -prefMapHandle 6084 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2943164-ddd4-4e86-942c-e19c63f1db72} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5540 1f29ae86e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.9.290925440\879106275" -childID 8 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5e67f4-9c56-468d-825a-fecb32bd0cdb} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6132 1f29ae87a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.10.1093434033\1828280291" -childID 9 -isForBrowser -prefsHandle 6216 -prefMapHandle 6240 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ce5add9-4239-41ba-9c63-2b03f8729b82} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6316 1f29ae89e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.11.752001682\1145238142" -childID 10 -isForBrowser -prefsHandle 6500 -prefMapHandle 5016 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70a45c95-38f3-4407-a532-a9cf137d2957} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4992 1f29342f858 tab
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.12.1289579916\1137941508" -childID 11 -isForBrowser -prefsHandle 5288 -prefMapHandle 6312 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cc7662-f316-4635-a009-a2a660b2e83d} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5180 1f299ba9958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.13.240442987\989605971" -childID 12 -isForBrowser -prefsHandle 3972 -prefMapHandle 2504 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97f741b7-7816-4330-8aa9-1535bcb29030} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5196 1f29ad29158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.14.1661367114\708816911" -childID 13 -isForBrowser -prefsHandle 10296 -prefMapHandle 10292 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {976df849-95bd-455c-94fb-fd8854218b3a} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 10304 1f29b124258 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Opera.exe
"C:\Users\Admin\Downloads\Opera.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.15.1886885090\1676064267" -childID 14 -isForBrowser -prefsHandle 10128 -prefMapHandle 2648 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df02ce31-9c5d-4658-830f-0efacaa4ad29} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6024 1f29af20458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.16.967545651\1558656289" -childID 15 -isForBrowser -prefsHandle 10212 -prefMapHandle 10152 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5496fa6d-b453-4e7b-972d-4dbf8ca616aa} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 10160 1f29b2d2d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.17.293763883\1533402784" -childID 16 -isForBrowser -prefsHandle 4432 -prefMapHandle 4436 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {547af0a8-3666-4dd3-986d-86e1e6c5cd0b} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4324 1f29b2d3358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.18.1405195493\1341552779" -childID 17 -isForBrowser -prefsHandle 10128 -prefMapHandle 10148 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ade00c-ce6a-45e1-a633-e0ecedf3674f} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 9856 1f29b309558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.19.824604785\1969642871" -childID 18 -isForBrowser -prefsHandle 10364 -prefMapHandle 4560 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0bc3241-c8dc-4ebb-9cdc-239d78d8197a} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4620 1f2994d4e58 tab
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 44.233.67.78:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.67.233.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:50001 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:50027 | tcp | |
| US | 8.8.8.8:53 | phentermine-partial.gl.at.ply.gg | udp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oxy.name | udp |
| US | 104.21.70.24:443 | oxy.name | tcp |
| US | 8.8.8.8:53 | oxy.name | udp |
| US | 8.8.8.8:53 | oxy.name | udp |
| US | 8.8.8.8:53 | 24.70.21.104.in-addr.arpa | udp |
| US | 104.21.70.24:443 | oxy.name | udp |
| US | 8.8.8.8:53 | oxy.st | udp |
| RU | 185.178.208.137:443 | oxy.st | tcp |
| US | 8.8.8.8:53 | oxy.st | udp |
| US | 8.8.8.8:53 | oxy.st | udp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| US | 8.8.8.8:53 | ads.themoneytizer.com | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 8.8.8.8:53 | cdn.adlook.me | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 104.22.62.227:443 | ads.themoneytizer.com | tcp |
| US | 104.22.62.227:443 | ads.themoneytizer.com | tcp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| US | 8.8.8.8:53 | ads.themoneytizer.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | cl-7c56f4b3.edgecdn.ru | udp |
| US | 8.8.8.8:53 | ads.themoneytizer.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | cl-7c56f4b3.edgecdn.ru | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | ced.sascdn.com | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | tag.leadplace.fr | udp |
| US | 8.8.8.8:53 | secure.quantserve.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | adtrack.adleadevent.com | udp |
| DE | 51.75.86.98:443 | onetag-sys.com | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | a1184.b.akamai.net | udp |
| FR | 145.239.192.166:443 | tag.leadplace.fr | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| IE | 52.48.122.2:443 | adtrack.adleadevent.com | tcp |
| IE | 3.248.98.31:443 | p.cpx.to | tcp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | global.px.quantserve.com | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | a1184.b.akamai.net | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| US | 8.8.8.8:53 | global.px.quantserve.com | udp |
| NL | 88.208.46.222:443 | ogffa.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | gum.nl3.vip.prod.criteo.com | udp |
| US | 8.8.8.8:53 | ip-fo-ovh.infra.leadplace.fr | udp |
| US | 8.8.8.8:53 | adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | gum.nl3.vip.prod.criteo.com | udp |
| DE | 157.90.33.122:443 | system-notify.app | tcp |
| US | 8.8.8.8:53 | ip-fo-ovh.infra.leadplace.fr | udp |
| US | 8.8.8.8:53 | 137.208.178.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.46.208.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.62.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.93.17.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.192.239.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.86.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.122.48.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.98.248.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 8.8.8.8:53 | ads.adlook.me | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| DE | 51.75.86.98:443 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 5.200.43.243:443 | ads.adlook.me | tcp |
| US | 8.8.8.8:53 | lb-prod.adlook.me | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 8.8.8.8:53 | lb-prod.adlook.me | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| BE | 2.21.16.25:443 | contextual.media.net | tcp |
| US | 2.18.190.77:443 | a1184.b.akamai.net | tcp |
| NL | 178.250.1.11:443 | gum.nl3.vip.prod.criteo.com | tcp |
| DE | 91.228.74.226:443 | global.px.quantserve.com | tcp |
| RU | 88.212.201.198:443 | counter.yadro.ru | tcp |
| NL | 185.89.210.212:443 | ib.adnxs.com | tcp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| DE | 162.19.138.120:443 | id5-sync.com | tcp |
| DE | 23.88.8.123:443 | uidsync.net | tcp |
| DE | 23.88.8.123:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | csm.nl3.eu.criteo.net | udp |
| US | 8.8.8.8:53 | csm.nl3.vip.prod.criteo.net | udp |
| BE | 2.21.16.25:443 | contextual.media.net | udp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| US | 8.8.8.8:53 | rules.quantcount.com | udp |
| US | 8.8.8.8:53 | csm.nl3.vip.prod.criteo.net | udp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| US | 8.8.8.8:53 | d2fashanjl7d9f.cloudfront.net | udp |
| IE | 3.248.98.31:443 | s.cpx.to | tcp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| US | 8.8.8.8:53 | 122.33.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.43.200.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.16.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.201.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.8.88.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| US | 8.8.8.8:53 | d2fashanjl7d9f.cloudfront.net | udp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| US | 184.30.156.32:443 | lg3.media.net | tcp |
| FR | 52.222.144.28:443 | d2fashanjl7d9f.cloudfront.net | tcp |
| US | 8.8.8.8:53 | pixel.quantserve.com | udp |
| US | 184.30.156.32:443 | lg3.media.net | udp |
| DE | 91.228.74.205:443 | pixel.quantserve.com | tcp |
| NL | 178.250.1.25:443 | csm.nl3.vip.prod.criteo.net | tcp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | ag.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | gem.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | gbc0.fr3.eu.criteo.com | udp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | gbc0.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | gbc0.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| FR | 185.235.86.7:443 | gbc0.fr3.eu.criteo.com | tcp |
| NL | 185.235.87.21:443 | gem.gbc.criteo.com | tcp |
| US | 8.8.8.8:53 | 28.144.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.156.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.87.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.86.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.oxy.st | udp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| US | 8.8.8.8:53 | download.oxy.st | udp |
| US | 8.8.8.8:53 | download.oxy.st | udp |
| US | 8.8.8.8:53 | ip-fo-ovh.infra.leadplace.fr | udp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | 68.33.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s1.oxy.st | udp |
| US | 104.21.234.182:443 | s1.oxy.st | tcp |
| US | 8.8.8.8:53 | s1.oxy.st | udp |
| US | 8.8.8.8:53 | s1.oxy.st | udp |
| US | 104.21.234.182:443 | s1.oxy.st | udp |
| US | 8.8.8.8:53 | 182.234.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.fr | udp |
| US | 188.114.96.2:443 | tmzr.themoneytizer.fr | tcp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.fr | udp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.fr | udp |
| US | 188.114.96.2:443 | tmzr.themoneytizer.fr | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| FR | 185.86.139.95:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx4.smartadserver.com | udp |
| FR | 185.86.139.95:443 | itx4.smartadserver.com | tcp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | itx4.smartadserver.com | udp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| DE | 162.19.138.120:443 | id5-sync.com | tcp |
| IE | 52.211.13.38:443 | id.crwdcntrl.net | tcp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| DE | 162.19.138.119:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| DE | 162.19.138.120:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | 95.139.86.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.13.211.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | itx5.smartadserver.com | udp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx5.smartadserver.com | udp |
| US | 8.8.8.8:53 | 122.138.86.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.197:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r5---sn-aigzrn7d.gvt1.com | udp |
| US | 8.8.8.8:53 | 197.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| GB | 173.194.138.202:443 | r5---sn-aigzrn7d.gvt1.com | tcp |
| US | 8.8.8.8:53 | r5.sn-aigzrn7d.gvt1.com | udp |
| US | 8.8.8.8:53 | r5.sn-aigzrn7d.gvt1.com | udp |
| GB | 173.194.138.202:443 | r5.sn-aigzrn7d.gvt1.com | udp |
| US | 8.8.8.8:53 | 202.138.194.173.in-addr.arpa | udp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx5.smartadserver.com | udp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx5.smartadserver.com | udp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx5.smartadserver.com | udp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| US | 8.8.8.8:53 | 168.22.248.34.in-addr.arpa | udp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx5.smartadserver.com | udp |
| FR | 185.86.138.122:443 | itx5.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | euw1.smartadserver.com | udp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw1.smartadserver.com | udp |
| US | 8.8.8.8:53 | 193.192.149.89.in-addr.arpa | udp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw1.smartadserver.com | udp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw1.smartadserver.com | udp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw1.smartadserver.com | udp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | oxy.st | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| RU | 185.178.208.137:443 | oxy.st | tcp |
| US | 8.8.8.8:53 | oxy.st | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | oxy.st | udp |
| US | 8.8.8.8:53 | ads.themoneytizer.com | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 8.8.8.8:53 | cdn.adlook.me | udp |
| US | 104.22.62.227:443 | ads.themoneytizer.com | tcp |
| US | 8.8.8.8:53 | ads.themoneytizer.com.cdn.cloudflare.net | udp |
| US | 104.22.62.227:443 | ads.themoneytizer.com.cdn.cloudflare.net | tcp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 8.8.8.8:53 | ads.themoneytizer.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| US | 8.8.8.8:53 | cl-7c56f4b3.edgecdn.ru | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 8.8.8.8:53 | cl-7c56f4b3.edgecdn.ru | udp |
| US | 8.8.8.8:53 | tag.leadplace.fr | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | adtrack.adleadevent.com | udp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| FR | 145.239.192.166:443 | tag.leadplace.fr | tcp |
| IE | 52.48.122.2:443 | adtrack.adleadevent.com | tcp |
| DE | 51.38.120.206:443 | onetag-sys.com | tcp |
| IE | 34.241.144.138:443 | p.cpx.to | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | ip-fo-ovh.infra.leadplace.fr | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| US | 8.8.8.8:53 | adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| NL | 88.208.46.222:443 | ogffa.net | tcp |
| DE | 178.63.248.56:443 | system-notify.app | tcp |
| US | 8.8.8.8:53 | ip-fo-ovh.infra.leadplace.fr | udp |
| US | 8.8.8.8:53 | adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| US | 8.8.8.8:53 | ads.adlook.me | udp |
| US | 8.8.8.8:53 | 217.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.144.241.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.120.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.248.63.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| IE | 3.248.98.31:443 | s.cpx.to | tcp |
| RU | 176.122.21.130:443 | ads.adlook.me | tcp |
| US | 8.8.8.8:53 | lb-prod.adlook.me | udp |
| DE | 178.63.248.56:443 | system-notify.app | tcp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| US | 8.8.8.8:53 | lb-prod.adlook.me | udp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| US | 8.8.8.8:53 | 130.21.122.176.in-addr.arpa | udp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw1.smartadserver.com | udp |
| NL | 89.149.192.193:443 | euw1.smartadserver.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | euw1.smartadserver.com | udp |
| NL | 89.149.192.193:443 | ww1097.smartadserver.com | tcp |
| NL | 89.149.192.193:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | itx4.smartadserver.com | udp |
| FR | 185.86.139.85:443 | itx4.smartadserver.com | tcp |
| FR | 185.86.139.85:443 | itx4.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx4.smartadserver.com | udp |
| US | 8.8.8.8:53 | 85.139.86.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | itx4.smartadserver.com | udp |
| FR | 185.86.139.85:443 | itx4.smartadserver.com | tcp |
| FR | 185.86.139.85:443 | itx4.smartadserver.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| FR | 185.86.139.85:443 | itx4.smartadserver.com | tcp |
| US | 8.8.8.8:53 | itx4.smartadserver.com | udp |
| FR | 185.86.139.85:443 | itx4.smartadserver.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| US | 8.8.8.8:53 | 226.210.32.178.in-addr.arpa | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| NL | 52.142.223.178:80 | tcp | |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 216.58.212.246:443 | i.ytimg.com | tcp |
| GB | 216.58.212.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | rr2---sn-aigl6nek.googlevideo.com | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watson.telemetry.microsoft.com | udp |
| US | 20.189.173.22:443 | watson.telemetry.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| GB | 173.194.183.103:443 | rr2---sn-aigl6nek.googlevideo.com | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| GB | 216.58.212.246:443 | i.ytimg.com | tcp |
| GB | 216.58.212.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 22.173.189.20.in-addr.arpa | udp |
| GB | 173.194.183.103:443 | rr2---sn-aigl6nek.googlevideo.com | tcp |
| GB | 173.194.183.103:443 | rr2---sn-aigl6nek.googlevideo.com | tcp |
| US | 8.8.8.8:53 | watson.telemetry.microsoft.com | udp |
| US | 20.42.65.92:443 | watson.telemetry.microsoft.com | tcp |
| US | 8.8.8.8:53 | 103.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.65.42.20.in-addr.arpa | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | euw2.smartadserver.com | udp |
| FR | 178.32.210.226:443 | euw2.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
| MD5 | 7a902c87a60986f18a6b097712299256 |
| SHA1 | 2c01906a39faa9d27a41e0d3cd84e92410b9c483 |
| SHA256 | e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5 |
| SHA512 | c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6 |
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 3fc932775533f1bcea180de679a902dd |
| SHA1 | 3f393d02af4653e34bf5526ec5b6f8d6e4df65e8 |
| SHA256 | 09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a |
| SHA512 | f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764 |
memory/1116-11-0x0000000000400000-0x0000000000457000-memory.dmp
memory/208-9-0x000001F140360000-0x000001F1403A0000-memory.dmp
memory/3172-12-0x0000000000A70000-0x0000000000A8A000-memory.dmp
memory/208-13-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
memory/208-15-0x000001F15A980000-0x000001F15A990000-memory.dmp
memory/3172-14-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
memory/8-20-0x000001E3D94A0000-0x000001E3D94C2000-memory.dmp
memory/8-23-0x000001E3D97A0000-0x000001E3D9816000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztkjz4b2.12b.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b721b21f475be36eee76eb7dc3e479b8 |
| SHA1 | e4ec21b1f2ed4a3d29e55ad4350fa54c9b13e53c |
| SHA256 | caff144bf4be3976720feb58d440318d242c86a89f0c3b0133a360391015fe4d |
| SHA512 | fcc865cab4dcc809efb5559f7882764e30d7db05284515e150cf2b43b4ed22af2cb37139302f69fed4c31fc8bcf1aaee9ebb6dddeaa85b7426a8db15509d551b |
memory/208-93-0x000001F15A930000-0x000001F15A980000-memory.dmp
memory/208-94-0x000001F140800000-0x000001F14081E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80a23dcc667f1044e1e081a455c777da |
| SHA1 | 6055683d61528226f6a58000fbe777c62997445d |
| SHA256 | dac58db929214a19c62846e3d9012720ab4c45c820ea70602a1da188fd79a8c7 |
| SHA512 | 92eb8c7aa524baaa300065d107d0c9447b99603c7f0a96efbbbff031d40d13c22a5aa1c487990ad959e133d890315e102e4e0cd05ce30a3c5051a6e60d78d2b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9fe9224c003a770e53652e6f20b3cb00 |
| SHA1 | eadea833e10965e9c80920dd88dc3379d3f08930 |
| SHA256 | f09be6ba327295461fe878326391f060520b1995614541d041595025bde8f567 |
| SHA512 | d24cb44fa9c360abf016af85c336d4a9d777a455a630723180d0f3d939739c4dfcbb01b0ed96086ad22e78ef693722ff86099bde6c1756537ea068caa15fa269 |
memory/208-158-0x000001F140820000-0x000001F14082A000-memory.dmp
memory/208-159-0x000001F142110000-0x000001F142122000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f652d2865a50f5b4933f93f3ddc7f460 |
| SHA1 | 27b82b6645d9a805d0159e6bd0830c0103d48dfa |
| SHA256 | d8f6bafa2743a24d45104fbca863ff7a720ad8f6d78afa2b2b64db5d4db1a4c9 |
| SHA512 | aeca6d100aecd52bb5cb83cc6a069083384ae5038b7c2382e1d6b00d2cc28863577b8c59b0a74da4f06d1751374be78b99b11efebdcde0409c3a83053c335c31 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0415f239c4916b04fa85336548a3bae7 |
| SHA1 | bdd7b14c107c44587be56ada7d56297684b20bfe |
| SHA256 | 339c3e290c1747b800def6c2b4525c2fe7f5b7f6594731b78900b7ee7b6ea49c |
| SHA512 | 81bbac3cc68cef28ea04730f89bbe041dfbe9352ca842978d35e55de047ff312d5b050fe0d99bc32638ecd75d7c379e0bd1b4b54aa129a960b84c5e19b42d2d8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\cd7749d4-cf47-4263-8ce4-83b0e7ce39e0
| MD5 | f0b8d29f03f56f13b3fda5d7b67f8bda |
| SHA1 | 67dd98750ca75e061c8ccd9c40e87f806b56514e |
| SHA256 | 95b20f04c4d51c64022eb1cfdf7250290256b0887cc5e6db12f430a9bd670a40 |
| SHA512 | b275afafa0f48015f98d5c370eef221bd0032ee68bd119b8750872a2a716807a90418fe465343b92e98d19f5137152dad0ca40cc515fd6859bbaf6e1ac202ecc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\627712b6-586b-4345-abc7-99654a79a41d
| MD5 | 2c8534913fa4932478fa92943f9e9204 |
| SHA1 | 23df597ba5681caced56a5041a742534f8387b5d |
| SHA256 | 3bd9aea6b02768624fb96997c8f7a2b9b92fba8ddfbace7a7fb50a969fc223e8 |
| SHA512 | 1073be42d3290df1857891665fdaa2902865e95445bfb087d1761c75b45c0798cd55e12e8cd1a532057f10b80e5b0ce567ba1e6cebd72b9426bb2d4cb0c85d33 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
| MD5 | dbee690736761e6e1bccec0e877566d6 |
| SHA1 | 115a034f288e83c8ced1b820a944b31eb001a92e |
| SHA256 | cbcbedab26786c181343627bf311fceed482852b676027b8ae501ba079c5f0ba |
| SHA512 | d68cae16339bd7a302cc11ceb289c8498e098706674771c94ae696826256f4684d5013f193d845f41308c97a546d935104552eaaa848a06c55f045d5252aca6f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd2cf0db365a010ce79ffc12b4a0568f |
| SHA1 | a1f875f314d8f34c8e030ebec50f76c348693bbd |
| SHA256 | 9d8dc8f917e0c75dc8fafd0cbeaabea7b66a65e7e78983765be49de6272ee32d |
| SHA512 | e97ab58ab4a81e2df4406e3e1faeba74a2fa7f161e9459307706cc51a4d927a6786855fc03a208bb651aa3b260760ba896410ff4ba9b09d3dbb5b5baf6deaf70 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 308d5c551b033a754cc2e3208c54100f |
| SHA1 | 7ca76119cabdd4c132cf65215d649020f7a2aeac |
| SHA256 | 20073d392598d2911fb611b2d4373d92c8929dff95fe74191c3f524c2224cd1d |
| SHA512 | 21212cc7235b3f36e43be8ea07cd3ee752768933b963c99bf2a8ef429db6214d98b0a68373c3306c0caa84a16bddc629c80c245747a48b4134b13818d3ffa471 |
memory/208-434-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | a99016fbd08888e266ba2797b6885879 |
| SHA1 | d99b3a4764213f4b6af41f51d93e89504e073e7d |
| SHA256 | 3b9b26ca19276cef2f34718b02ecef6971f1d09936ff821613b41830e595a6d3 |
| SHA512 | ce57ad20f303b2efc9a12da17bccdb9d398f76d6f089cb29eccbb52afbeab104e0e084945141c01050bd3d168d7690a9da611ec51a2735ef940b1e660d4ea2a4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 80c981fec322d82615ea8f63c9f1cc91 |
| SHA1 | 3194b14dec14416200516929b8055a99e3fa7c91 |
| SHA256 | 9d8b590a3174fa9a6460aa3db87e4d8bd876860b3e27d3daa579c356eafe30cd |
| SHA512 | 95bc4f3a56dbf4d6ebcc1a5e9aa71890b9994d0e24c6cdf9b49921330f4535c892b67597b59f18777e941b53802b1b7eff878c7c4e3b3195775e835749e95e6d |
memory/3172-475-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | 445af009a2dbe44cee5257386a52c706 |
| SHA1 | 05fb5853bbd936f28929bee81c0d54b4d6565dc5 |
| SHA256 | 2cebcc9dc274a7a4326aa4fccdde3cebf16e8cb6d80be197ba6f8a57bab16823 |
| SHA512 | 732261ad709f64e166cbf36e2976602543cd204986f7e233c6a00526a91c4ef77fa91e49f583a4c7556d69810d6c9341f647b737209d13fbf691b8c16e7deb6a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\default\https+++oxy.st\idb\556220133rrae_su.sqlite
| MD5 | c39fb6af2326c8ba84b5e9a39fca84f5 |
| SHA1 | 511ea8c7133781e3b4b8533553c1b1b639ceabe0 |
| SHA256 | a155c2e8c9a232232da472111fc4869def7d0ee99ec5b1a899d1287e1b20ea44 |
| SHA512 | 2465632072e8dc8b0252f18d1dcedaef106712fc72dbf7ee5d6f0a56e07f8cc39977d8aa6a6729ca787f70e7b86012b4f9ff9ac176def36af562ed5b6baa45eb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 636d68a2c604cd972dc0731187083d8c |
| SHA1 | d813b0090e6ac5bff735ab05c4f04495fc97db3d |
| SHA256 | 6104ffe53ecb598143775b5a64e7162531eeba7067071ed719df07a50f52f7c9 |
| SHA512 | e1792526aba2f9e404e0708cfb3e24caee11d7e688e52c806563df7fcee0ae09cb27842d83d567da66a573971ded18fe4e4ce4b68aeaa809775573f8ad1e97ed |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\13EFA2A0AEBD2083A85C899358878A2DC2AD7C54
| MD5 | 30b1cf2674e21195a65c63fc846073a9 |
| SHA1 | b63d718e9eaf21c44ad9bfe85d8746b665f651af |
| SHA256 | 41ae03c583e77af5d1fb2217fa791ec92b83164f837019ae2d07a96419f5ce4c |
| SHA512 | f371350dbb4d13314e6a633f29db61b6e6a740fd5122124a3b35e88e20662b309626e44d723809813b06122eaf6ddb0db72b4af9ec34a9edd68dc35f0efa8aea |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\13505
| MD5 | f4c0b4a421ba6872368844aed0e333ac |
| SHA1 | d4bc696dc15cef50f6cc2dc82c845cdeb8cc2573 |
| SHA256 | 0754676f5cab4b74d4672c5b256f9a0c514e191d117bc4f420719686427801ce |
| SHA512 | 8678e5ae62fdc67dd4e9664f0e5011804514c420f61affda004d7ee970d6de4590192dc93bf99e7e8d601c0a212ad788bfe7a00d559af8ee4442b94410613dab |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\15649
| MD5 | 3fe4be3641a8120b341fccca8a850cba |
| SHA1 | 9b62d64c537c2dfca46f5fc483d9b56601869f80 |
| SHA256 | 66fe41d003e4a0c6ef51cafaf066c866615e8d71202dbf1e1a391bbb0bbe847d |
| SHA512 | 7c2c9407e347ef39bb527e9cf5618abb30e95c29cd5efad74769cf40ab187da4833c312f9b938e37e8376239ddf144e8d804f1422b04a936bf61a963161a24ac |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\5BCFC2FFCFCFA5D698A8C966B3DD039903C169BD
| MD5 | 3b054d6701969cc73900eaea42af0271 |
| SHA1 | 207901aa643d450fd11bdd57773ad6bc4067bda0 |
| SHA256 | 5ed0d3a0616966da7e68331124348c69b8fd112d1cf3e11471dfb4b3f82ad72f |
| SHA512 | b1ccfd9f696a65c6e1f9f482be15a75cbf9ade5c36d49119b5b25a5005153666ae8748be0fd681e5ed9f16f2913c761833987d2238f5f89818e04d8249c090fb |
C:\Users\Admin\Downloads\Opera.exe
| MD5 | f69924b642ac4b9ef1dfacdfd43759a9 |
| SHA1 | 95da50564c7cbc3749148419c68a08b0f2869ee1 |
| SHA256 | d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18 |
| SHA512 | 2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5edefea34919cd6b95f500ef781587b8 |
| SHA1 | 0b432af78021130b15e79ecae62391d76f82ccc8 |
| SHA256 | b14143bf8f2f11e588214a4b59d7f694836ee721264e67ced7eae611349b8c37 |
| SHA512 | 479391c7315f8cfaf3b82a456ef20ee94f3f2529fa3256e42d963c8fc81361a410fc90d17612a2e7625144e830bbe35715ce34f147d7174cfb8c89ad44772148 |
memory/5744-849-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral3.exe.log
| MD5 | e507b75f87a5b5a1e60d02faf80d3298 |
| SHA1 | c61c6060ec21c21b421d89a616807dafdaf16687 |
| SHA256 | 650929c6e999ee06fd82f34a913dea89b3b5b66af2407ecf9e066f8092ab723d |
| SHA512 | cdb6699d00b61fedc0db9ab6f5db795bae619b6f579ec5eeb57124414b0022d8d8b0a359589f3427f09a44ed4a073c75c53902ef8fdc2b288f347179603a52c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 79b9694ca6534f2f0777084e22534e34 |
| SHA1 | 3ad48b614f80b373459fb83a5e46662a3d5e69e8 |
| SHA256 | 80a3848451f133574d7e6a4185db0a5eb1d0fc984bfed1c9224171491e5ed502 |
| SHA512 | 63a14a57e906298e7adef9929a071fef930e364560ec344ec923176c465f752780c3b9d168940a6d56f9cf756f135543fa10de7b63c8edb311b25b34ece7592a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0d754b109868d8227055869f43f56244 |
| SHA1 | a1ed8be92514fa5901a00ac5302b85e9094b7bf5 |
| SHA256 | 98a62117618c7239ce07948961230637ea47b3f458061bd627ab03a600f9f186 |
| SHA512 | 86540ff50391a74f31e95ad439c861b642f1ccb6d4d55d51ea6245d5fed8b2fe28598279775682830f465fb0d608c2571cd2b087ff582272f9322176beb4b6bf |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 577f27e6d74bd8c5b7b0371f2b1e991c |
| SHA1 | b334ccfe13792f82b698960cceaee2e690b85528 |
| SHA256 | 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9 |
| SHA512 | 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7af0729bd49ec9d9ccd1286ababe1aff |
| SHA1 | 2e671d9d755fab8ba14bf6765bbfc20303cb363e |
| SHA256 | 53178d6e7547c4997844863803d467bda2ef0618ed0c541da38a21416c46a593 |
| SHA512 | 9afc18786e3803914eef8ec22c6d4bd27470a4227a1da7f017806606ab065d9f762b19eb8a629320d1d4ec170838d4f13bde6233c02ae74451d2e2fabf031f40 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a294c94cdaa304e277fe4e4ffd16349b |
| SHA1 | ead4bd6da3cf9f0a9aa63dd14e6cbbe4b0d0325b |
| SHA256 | 0d02609124e0ca587127ff9fa0da729ba840a24b66613bb192fca99c99b0ebdb |
| SHA512 | 09f102aa0e5696fe086a4a1301ff1b8c7d8969b3453b3f591bedc238a70de27db3e8d5e50297286679053bbde0d8f653fa20d2be6668130d16b94f7fa342b5d4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57c3e2af308c48166f1d52724a6a67fa |
| SHA1 | ded0fa36d5e807b419ffed3d4c6ef2fb6fcfb47c |
| SHA256 | 67164d01aed009abc69d4cb3e8da323afcf88976fb369604e0d31354984c01f7 |
| SHA512 | 0250c80200f908ea6c0b36c8ce98cfbccda16e4dd93555aea45503e303b37592d9f466d343464f7507c9c9c35a38a4b61d0617bbbe792bf1b2aed7a4253066e6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e32be4d732d29a4c638a64ee0319b6e2 |
| SHA1 | 7167e888b3cff660d66cbb1dd33b073f92013945 |
| SHA256 | f59e5f28e3bf417c804d1480e421cb3348556d5db3a268d38d442c685a4bee20 |
| SHA512 | 6115c27f8a8e5b16f2f69f8eccd040d0a333b0cade509a49195a568b19ef6e325f313d74ce108c0723db51253726b8debc7eeb472d6f158b85a9c83aec314cef |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | 8c18dbb6b313d8da17d381abded45f19 |
| SHA1 | c1c3d2657d1fe64ca74ca01a42a4708970788f22 |
| SHA256 | 8e60735cc4d1b277797b13f3d265d715bd9431464eae9f4463ac280d6c21f258 |
| SHA512 | 09f8a2eef92070ebdfe7fccce71a25e84cc7b49b6fb00ca7d974ec9f64e2ec9ba23ed0794aee9412e9cb1c2e58a99142d7f5feb36e799ea51ae0e25e640b6620 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 01e3be1134890887350b361ff9b8c681 |
| SHA1 | a92fb77350933689ce4dcf957e9979fd79169270 |
| SHA256 | 63a6ae4640db7a3c51ed0366f5339e3ea321de2d3dc544599e7999245e1039bd |
| SHA512 | 4e7cc68ccc4a192ec865795d159bfb51b13b5347bfc6083dcd86fbf214b0349d6c05bdbd4795ac37f41cd2c83ca309e4fae7faa37a6eaadd2fe2f230196adde8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | dec02dc294a2834629f0c504d7d2033c |
| SHA1 | 316f0c50a22c3c8873f10c9eb2c9ba6c5d608880 |
| SHA256 | 4cbb3436537a98b1927444b71909ce7fae99596590f20d8f7f1d8b3ffa53a966 |
| SHA512 | ed090f5adb78344d5231699f8e87b9cd94bd13069cba03622975ff24faac6fffe4fcfa6dacb31887fca1dd2a7054e5efbfdd54a0236cc8f7b28b2523a4923a66 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f996183be2b71a7aaca59b4fa743b6bb |
| SHA1 | b30f5cfadb9b97d920700597c5fbb0e8b17d34bc |
| SHA256 | f48004ab1bb2d79f473753cf8a9a2e5cd413355dfc273a983ef06a3e72d27af6 |
| SHA512 | 8d29d435ea74ed49cd0993cc412cf9ae61a8d95277f0f9fdda8c612e4e2d9cf97b8175200b300abe53cbbe6856f4c5c9ad33b93e4580acf67700232e61d4b34a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d4ecd037f97483309ceadc5a41b23ea4 |
| SHA1 | 0778028c2ecf1c9623f6889f38537cbb099c26d9 |
| SHA256 | b85f204586b0ac6ea4a086200645723f2e1e2962e45873f11f7ad917b333f490 |
| SHA512 | 9e39ea418f44c78ff035eecd6c779f4f792369c3e743377510391e4885e92833703d6cbdf9743220a35086ef6458c1734ec3a0df96859ad8f28373d37c392559 |
memory/3172-1161-0x00000000010E0000-0x00000000010EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a32777d92780fe997d46965f96edb88b |
| SHA1 | 73ff14d8f1663a5e7441a17bc06f4b6711947b47 |
| SHA256 | b53e51b4540de993c3fb5c557707429c4a2c1fc52033c9a0f3af5c0ffac5908d |
| SHA512 | db3abaf107bf9d7a9ce240c371334a383e519a9f734cd98aa57ff13096ecd9a0e725d3f81832649d9908841368001812355544e6cd109a30f31b028bf539f0a2 |
memory/3172-1170-0x000000001B4B0000-0x000000001B53E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0fdffaaf60fac3dec808113a9d8a475c |
| SHA1 | 517e1ec4707dcf3f288e539b7bda901b0a19ad2b |
| SHA256 | 3d0211f6009524d6977dd9a8228106bfc2cb9e5fc0378d6faef861bc39546dd1 |
| SHA512 | 79e4ca3ee1ab94958648eaf5c1eaf4fedebc3c330d4269464a1103567726a54f697ce088854153fa745b0e682efb1259616cb4841404ccdba88c5a0f4f436f33 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 041f5dbafd23f788463381eed941847a |
| SHA1 | 8fdc2e7e15d8a422ff08a392048a009f27c3bf61 |
| SHA256 | 26ec00272fbe71274adafd8e97f916a45399dd2b42f53ea4df76bb82b3a5619e |
| SHA512 | 5461e3f9f3357f8075a5753148ebc1540b5d1620048b2a7a343426fd1f79321fb6be047a746584f0e4c0e16e4ba993d247f7c9a5cac82197cf8fe5a78177bd8a |
memory/3172-1192-0x00000000011B0000-0x00000000011BA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 50fb02d5ebe5c890e8b29fcffae746a3 |
| SHA1 | d3380e95bd0cf4638c1252856af83e5e66cfbf95 |
| SHA256 | c3bd66d4389a7fe8067655b7c5056d6ae93008e13e12d8e53057ce903611ddfa |
| SHA512 | 2fd132e3e9820898e34d88ec7adb0df977af227de3f5a85382ee90e5b61eae1d3fa8cfe7c08ba90b2f568c964e4cd109fae2c2aaa1b11dc51a329f3e550c42b9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | e2d7b5dc4ab2caa48ce2c2d6a8ef0e05 |
| SHA1 | 0c4f0f4738f0119dd205f0c87fb314ef63d2dd7f |
| SHA256 | fba3ce15400e50a81b2deb1708b20813db52da4bd61b9cf1c684c6aef46e8dd6 |
| SHA512 | 40d35ecd4cd64fa0646aff5f3bd7b06aa616ff78b8a9d8bd17bcd381f1a42ea6322457408707bdd82b0207732b6e993f438ea90c81163a0967f699452fd5beb7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\broadcast-listeners.json
| MD5 | 72c95709e1a3b27919e13d28bbe8e8a2 |
| SHA1 | 00892decbee63d627057730bfc0c6a4f13099ee4 |
| SHA256 | 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa |
| SHA512 | 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\targeting.snapshot.json
| MD5 | edfba10a9cd8b97095344453d024a733 |
| SHA1 | 7a84c2da263b102c2c5b1b7f88cc20a72e8e429d |
| SHA256 | fa9676ab1a172336bd8228fabf80760d67a3fb505128139e1cef297d802f72dd |
| SHA512 | b8c12140341493d70cfd0441a480c96125a77a7d6e65ea043191bc2e65a7cfe890e1da0f5c8e12e77a8e6ee8765a1eaa6ed062223b417b7732b95d49c2d60696 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 8a7bd80b9a1bf23c8abcd24415d990c3 |
| SHA1 | 953dc657a3f71eb80bd85d00d60c6267bfa9ad2d |
| SHA256 | 9edde090876494709c3ea4a322fd5e27b147ae8a9f35a4acfe711e6eed14f870 |
| SHA512 | 00dddc3cbf2cfffe844a20246b4eda5fd6471743a9ad284a2eb12869017355585ca53b0ee86ff7355fd51e3658e7e2438c9f5b870952f9a40d6d9b32b4707e45 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 2da7a1b8d8bbeeb3618aab90433c2631 |
| SHA1 | 269c69378030c5e9cc5efe7a8a3e80f99acd82bd |
| SHA256 | 27e5368713002724b9fd3e2b1bb55024329d283d891ddc7010f7ca9ce34bb331 |
| SHA512 | e03ce8e07e09bcaae4ff4e8832d9a7fffb0a6c5c46528a3c51fa600ef6fde8a3c5b367ff0c32cc8c3adbffb07ce196f777c4594993310e31eccb054c2ab7c017 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 9a2766fe73084fd83ae53cb5c8c52e97 |
| SHA1 | fc734a54e030af524a185e860cdf1831386b7d15 |
| SHA256 | 1639edd25e9550164ff38683b803a83a97d408057fc90f0a0a0a6710e96dd60d |
| SHA512 | cb0ed0c406807375ed10368b5c52c49f19b4b91f2109daa601970e8d645f1f8801bc2abf049a04c11adc02503040a53a4e7d9f5f7497d37f68d04a77fcb9fbd0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\bookmarkbackups\bookmarks-2024-04-26_11_MaaMR8mhAQTbCgvsLumwIQ==.jsonlz4
| MD5 | 838d93fe7f64f4f752cc6aa88379ef54 |
| SHA1 | 55f0a2bd40fd96e3a319f886a58891fd9d416c0b |
| SHA256 | 1b13e0ebb1dab164edd26588e55ea99c9909f18c56c9a3478937d96719d9a54d |
| SHA512 | 8a4fddabc8792bc2fdc4868e1873f415614c3dc08bbb50272b64fbab124b4516ab0e3be04f31cfb8e02e7b653bff231053208d1638dcf0372439dcec71d33f00 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | be7e73da3539dc4f2aec00edef19cb89 |
| SHA1 | 78bb7de35efdc08935537f68cf3d8bafa471f9f8 |
| SHA256 | 0517f087376ea1358509e4867d878070cba9ddeb6e24c4b51e32adbd378d1b7a |
| SHA512 | 64f00383eca7813465eb00c0540b00807c88a645e557eea2b4048dc897863efe4159a2ce97d7ea181a683432e6cab67718714ec2025e948c86a78527a303b052 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ded90f0ee21d4684f5cdac179001f169 |
| SHA1 | 7f612af964a576660d428bebc87d04082b68dcf1 |
| SHA256 | ff7435ce30cffdced7c0913810fac71e38891697a4a271424109a8f1fb6201cb |
| SHA512 | a73c62b5a7278597d9bd0adc6668a11a6c6e24d2daec1f496823e5e23c9d89de58662878fd2d710c7f7e508a23a065fc9287ed161d8e10a388f3b36482018278 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d945a0b1e171065d5491eca4ceafa37c |
| SHA1 | 47a98ae32bcd80f0d4ea7cc2cc409ab1a37515cd |
| SHA256 | 6fa6a066538e61c84bc0134ecf9b62f01d86a35ca99fdbd77db1a0c57a7f1b02 |
| SHA512 | 14a1d67c1c59de8ad85f09caf74643928a4f36a17541747ce569f931de981e3f97d47a7c6c8509c4390ba069e308d3bda36da1289984f3d74ae8149324bb96ce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 62827cb95b2bf00cc4983712c917f1a6 |
| SHA1 | d84e91de55c0113f3cd5fa8376db3c2f0faaecf6 |
| SHA256 | 14ae5bb91ea0f0a51a9b7f57437a7ddbe140df9d3da0affc981b0b318f398900 |
| SHA512 | 3ef54cc9a66595b63da8a34513a273cb3d59df29284846cc329372978439a65d184c7e0a7e20e97394d78717c4500fa0b48442c52934b779ee0e6c836a0d0c05 |
memory/3172-1405-0x000000001B560000-0x000000001B572000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2cd6a220d6c116f48f15d41415046592 |
| SHA1 | 43d39f4896d7b19d24c549fee1d2209e9e082f4c |
| SHA256 | 99b7967e14acd6f65a1c1073fbc824b17a77d8a29d5bcb3dea66b2b49c7bb757 |
| SHA512 | 10c7d2928b9cfde5076ffd320f9538f83d18472530ad4060f7d9e0520da33ef9a2bc4e169492bc5837c07031037b6e0f8c50a16857a837e0c00d909b7dfeef1f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5a3a237586a89f481524e4045be7b6f4 |
| SHA1 | b5d57f37126bedfd298f93a9e00976b0a9434937 |
| SHA256 | 1f0ae020a90762fc85d3876ff819692e1eee3671edf155579d599cb2e7cde067 |
| SHA512 | e7eb30b0a03bb267c0a4a4696da6cbd701cb67a723df5d330cd10fe8078a4bb027cece59bcd34b13a1a1dea7ec9ff6df7d02b2e93184bad77a520d86019ad891 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b83fde10314a840a020fe4b56776e1cd |
| SHA1 | 122cdfa716f9759a32c9ebdb859371f524204e5d |
| SHA256 | 49dc0189909afde29c249b99174d87407c65bf2f192d9a32e33324339cc284b1 |
| SHA512 | 9c6541a85758eae13e2ac6212bda4fe04a2d747d37a11428a6e6f71eeafbee02df54a57026b164d4bfde6fb8664388404d449dafd007b36fb5a031c604c04ae5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b50c06c61a473a3af3c992364d70c8b7 |
| SHA1 | 43fdcd073e24ffe002440db5961c401816659e60 |
| SHA256 | 7ea8117a98ff4f1d816e07ce064e1a3bfe323e8e63bbe9229e86e8ec1990cdc7 |
| SHA512 | 260220f0cfc2d64e414bfc906aedb03ba3e58611da00c945d500bffaa4c600b7b6b4ff81de7d738aac5b35b8d302059804cad0cb5a406d5a66221431ea91e038 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d0945e739ebf61729f12bca2ae7866a6 |
| SHA1 | 1adf8c749837561583026b535144afa479031563 |
| SHA256 | 9047e372a584ec0a18f581868da965598486548d595d8398bb8ffee5470aa14d |
| SHA512 | 35ba3093a1c5520bf55d2a892a3ebd5095bfe2c0f85b5a99a9d3bfb706d477c5a10feefd432a4e96af9d35f5b4b8484629fc3f1da0268e3f507d0f5c93463028 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e693a7b8c6d011a3ee999212fef6f8af |
| SHA1 | 6492669447a3b7e37c2586f5ec92bf9c57b0df72 |
| SHA256 | 8170138141dea2a5aa7b1f598abb89baa8667109be47cd6fe1ded428aa33dc80 |
| SHA512 | f6dc0cb07fa63b9b531712a0d53ef2f2365fa7dd8073b640b91257965c95d1ce8d59bd726fc0653ff07a1f2a16a1e8acc3c371842e0bc6ae83d6ab0542d6c4c2 |
memory/1788-1484-0x0000024481600000-0x0000024481610000-memory.dmp
memory/1788-1468-0x0000024481500000-0x0000024481510000-memory.dmp
memory/1788-1503-0x0000024485860000-0x0000024485862000-memory.dmp
memory/5520-1511-0x000002A2B1200000-0x000002A2B1300000-memory.dmp
memory/5520-1512-0x000002A2B1200000-0x000002A2B1300000-memory.dmp
memory/5520-1510-0x000002A2B1200000-0x000002A2B1300000-memory.dmp
memory/404-1527-0x00000277BC900000-0x00000277BCA00000-memory.dmp
memory/404-1530-0x00000277BC670000-0x00000277BC672000-memory.dmp
memory/404-1534-0x00000277BC6B0000-0x00000277BC6B2000-memory.dmp
memory/404-1532-0x00000277BC690000-0x00000277BC692000-memory.dmp
memory/404-1556-0x00000277CDD70000-0x00000277CDE70000-memory.dmp
memory/404-1588-0x00000277CFC00000-0x00000277CFD00000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878
| MD5 | 7665489e087b66e2e4a86748ae5ddbd6 |
| SHA1 | 432dbea22f1be3a6551976b48d3b4e727612a44f |
| SHA256 | b6a61bbd73867e678a2f63026700607c9da40fdcdc4e78bd7da31c357467be4e |
| SHA512 | ff655a055f054952d72ea4b2d92e5f4dcd677ee900601d7392cf3acaba64f2ef71e9c90192c8f61577964399efc0878564d6ba4fd3d628f53b226ddef2db5d6d |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878
| MD5 | 2922939339db260048aef8adc8ad3a3b |
| SHA1 | f88f5a1cae878e009acb44e184639d83a37aefd4 |
| SHA256 | f22e84ebc4b683dc4e166a9eb13ea96312171ef876b3aa07aa9f1932afec95f7 |
| SHA512 | d225c0dad835c350e65771301d1be39e9dd8b45c0047d83683527581359c8c025a8772d7310e36c723dc9ec2c3ff354e8f1159996eb6842ca9cd116aa75330e7 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 4335b1f9715c6a37980b52911b512f04 |
| SHA1 | b0edd8f6c04d657b11e391c91ea838ef266c00c3 |
| SHA256 | 079ed8e813eb9a3d71f4139df6658035db6f1c11a47fef18e54691f0e53e83a9 |
| SHA512 | df55e07d05cb27bbc5fe162def1b4d0db401bac75949ae910fe8ddeca3d9e935ebac9a5d4b9f47218fb893f98c76bd0a21b5e4b9a43c027bbf494eba296baf10 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 069d0310ee29b489c012daa53bbb802d |
| SHA1 | 4d1a5fa55d576282b7f308cc8c1fe1ad07ffbc2b |
| SHA256 | 8dfae75ff4c447e989ab690b07a4eff686c15a190fdcfe10a4b774eacd029a1f |
| SHA512 | 941a3257318a76ac1a939a2c64a9a93764a4f745fecab2ae5b9a7481c85f22f115cccc016917f94ff6e8beef62a6ce23b862bc7507bfe6355649f1baac2a0972 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 754885df53a820eedf1205c148efacc3 |
| SHA1 | 73ea55048725233e91291d54f272c77d99de212a |
| SHA256 | de080c6253f2960a88c6e6388ef09f90a4ec4a672f70a0e7158f711639058571 |
| SHA512 | 6435c6c29b085ea9cc342d2d950d081c3d723f4b653f86e5617cdd1cfd1ca6425fff1a1f24f22fc2d0aac05791b4854b6466481bec2be7df25f8d0f8c1a240e7 |
memory/2340-1608-0x0000029A238C0000-0x0000029A239C0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\intersection-observer.min[1].js
| MD5 | 936a7c8159737df8dce532f9ea4d38b4 |
| SHA1 | 8834ea22eff1bdfd35d2ef3f76d0e552e75e83c5 |
| SHA256 | 3ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9 |
| SHA512 | 54471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\webcomponents-ce-sd[1].js
| MD5 | c1d7b8b36bf9bd97dcb514a4212c8ea5 |
| SHA1 | e3957af856710e15404788a87c98fdbb85d3e52e |
| SHA256 | 2fed236a295c611b4be5b9bc8608978e148c893e0c51944486982583b210668a |
| SHA512 | 0d44065c534313572d90232eb3f88eb308590304c879e38a09d6f2891f92385dc7495aabd776433f7d493d004001b714c7f89855aa6f6bec61c77d50e3a4b8e6 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\web-animations-next-lite.min[1].js
| MD5 | 44ca3d8fd5ff91ed90d1a2ab099ef91e |
| SHA1 | 79b76340ca0781fd98aa5b8fdca9496665810195 |
| SHA256 | c12e3ac9660ae5de2d775a8c52e22610fff7a651fa069cfa8f64675a7b0a6415 |
| SHA512 | a5ce9d846fb4c43a078d364974b22c18a504cdbf2da3d36c689d450a5dc7d0be156a29e11df301ff7e187b831e14a6e5b037aad22f00c03280ee1ad1e829dac8 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\www-i18n-constants[1].js
| MD5 | f3356b556175318cf67ab48f11f2421b |
| SHA1 | ace644324f1ce43e3968401ecf7f6c02ce78f8b7 |
| SHA256 | 263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd |
| SHA512 | a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\scheduler[1].js
| MD5 | dac3d45d4ce59d457459a8dbfcd30232 |
| SHA1 | 946dd6b08eb3cf2d063410f9ef2636d648ddb747 |
| SHA256 | 58ae013b8e95b7667124263f632b49a10acf7da2889547f2d9e4b279708a29f0 |
| SHA512 | 4f190ce27669725dac9cf944eafed150e16b5f9c1e16a0bbf715de67b9b5a44369c4835da36e37b2786aaf38103fdc1f7de3f60d0dc50163f2528d514ebe2243 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_94792986739A07D7C677389B609C9549
| MD5 | de82d42a975c8016a713dc2db5928817 |
| SHA1 | 34a4332de0d4db79cb2c7cdce70d0bd19f8b8d23 |
| SHA256 | 3d7092c5193629502aeb800a22d2c772ebd1a2d5845683ecb1a696ff2826b580 |
| SHA512 | be47b200cc40a77eaf0eb730df220e68f617cdd649720f2e0443ba8749da2cb1ceac5181881f3aec9d851095fd195e6e0db170ea9750bac69a147c93d768f274 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M5JLJ3LG\css2[1].css
| MD5 | 5912f3bba71c222672dfa244a60acef0 |
| SHA1 | 317a49729bb8654c3986e6b32278258a1d692d81 |
| SHA256 | 48708ab3b01bc53a736f7f85e0badd9174872faa981e78b32c16c4efcaa59d99 |
| SHA512 | 770f13af0d6ebe7ff9d925efccd05b0b2e5afd5fbe19770562d88936d541a298a49aea028f5122a255fb5026b4a5f37c0cf52831212ecaaf378a5769ff0379f7 |
memory/2340-1645-0x0000029A34C50000-0x0000029A34D50000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\network[1].js
| MD5 | a36f25447b3d55d31fdfdc30fa31c3f6 |
| SHA1 | 81154e36fdda94a482fb7f079ef683fa3af68f1b |
| SHA256 | 1432216f926190d39c5e9b17f38a4e075c692650eddb3df32e2a55d6b3eb6f9f |
| SHA512 | 2b396c5f278953dfb1ffa324e35150cd375218cc993510fc1643df68847d7d951efe2208423fd8f467a46f4b14fd8b3d7af06c7d24ab8f1753789cfc920587fe |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\spf[1].js
| MD5 | 9df260ef5f689e597011f8a110bf0156 |
| SHA1 | 7cf9959f50ee5c0eb7653cd7b9d56e9e13c61325 |
| SHA256 | 8e184352e6a0026e43c829910615fc408a900dad2f388d1b284756d1a7b0b62e |
| SHA512 | 099ea70bc08630b933e83c3033ae049c19940ca9e8f0eb42eb764552a9649493606eab56f683aa72df356ef53a9b37a63493a349e86a098fa82aa0ef75387cd8 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\base[1].js
| MD5 | 99d94118b126f0e6fa930656e9aeec5f |
| SHA1 | fde794b877a215638b07225c393d23d93d090169 |
| SHA256 | d23c0ec3c06e663c17df265a07da5a6a5d0ced529cbf10c842df6cc9934867d7 |
| SHA512 | 0aa8e01192ac2f7eda8ac27c1ae67cd2c2e8b927a567578b6575a86892183e2a0d9de6d09b907152dac18a67fe041d1a4948d762fb29cc23b960e1ddc954d2b9 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\rs=AGKMywH7OenIozOPso_R4eAze85u9ntbZg[1].css
| MD5 | 0d4df52d0ae450290f831b5e296fc4d1 |
| SHA1 | 673b85f8dd75d27097fdab6c6a4e724e07cf2099 |
| SHA256 | c9b7d2799f5544c71e7a43c890952f0b7edf08ba5fe83fa05b4ef5c901590251 |
| SHA512 | 865107ca766a23b888a190ccfbf7c63e5bf4b8d42102baf4b0558e9b137ee25b19800d7d91a60ad2d3f28f33772daddc67d5430d9f50bdd918fa810c2a37d0d8 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\www-onepick[1].css
| MD5 | 9ace9ca4e10a48822a48955cbd3f94d0 |
| SHA1 | 1f0efa2ee544e5b7a98de5201fb8254b6f3eb613 |
| SHA256 | f8fdbb9c5cdceb1363bb04c5e89b3288ea30d79ef1a332e7a06c7195dd2e0ec4 |
| SHA512 | 25354aeecb224fd6d863c0253cd7ad382dce7067f4147790ee0ce343f8c3e0efb84e54dd174116e7ad52d4a7e05735039fa1085b739abbe80f9e318e432eed73 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OQZLHADN\www-main-desktop-player-skeleton[1].css
| MD5 | 2a5f27d8d291d864d13eaa1f5cd9cd51 |
| SHA1 | b39f9b99b924e5251ac48fad818d78999cfd78d4 |
| SHA256 | 056232b6127143e2f8bf4218db355d978e1e96f5dedcce59a9f5d6ab92b437f1 |
| SHA512 | 1b54f1e13cb38e41f2a65db3cdc2bc702a9e963751b1ef0338d67b95816441b0143e1d4dabc99f276a04f9c00570bb8933f1bd87394998b3878c268b08ecf24a |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OQZLHADN\www-main-desktop-watch-page-skeleton[1].css
| MD5 | 64c8e3b11cfffc8ebf2240e4f46ab492 |
| SHA1 | 71276680811731f983502e477a87e87cfe72d75f |
| SHA256 | 3acc199c41eb3c884ee9884c15e6b78975499be2255aa203dba38ef24440181c |
| SHA512 | 497a48233bb198e05517e2cba003c2c5ba25183e1654b5b8252b9823f0859497ccab66a77e243238b27ea6eb826ae4fc72efb2f32b2b378edee7f9dfb87f4756 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\www-player[1].css
| MD5 | c0aca454c0a9b539d3af1213a20c6625 |
| SHA1 | 9893a760290f6d8a9fed3a9f3129e7285b702430 |
| SHA256 | 13a3fa279a6816ddd952f42fd82f5bc170ac2ff89410d14d43954b342ad40040 |
| SHA512 | bc26522c0a1fd3f40af510ab903431c61a990e06cbc63e8806d30acb52414d6962b4ca51faff78d3a77bf9fae058b5343c29e033b42b7c7f277dad919dd6d8be |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_94792986739A07D7C677389B609C9549
| MD5 | edcd426c2e88836cd13c98a8fb009401 |
| SHA1 | 6d04f9da8e87fd36deed8fb9a72e0e780be22134 |
| SHA256 | 597d4309cb9dfff967d65d844b63a2562bd97283daa0cc7c143e44c07fde22af |
| SHA512 | 439685606ddd9a6f0557ca76d7e59adbbd659555ffaf6e0dcaa278e7c9cf2588c090a70fa97dab43cb918b8d283c9813f7fae6cb7bc8736f076e22b3fcb59e33 |
memory/4892-1657-0x0000023CBFD00000-0x0000023CBFE00000-memory.dmp
memory/4892-1666-0x0000023CBF6F0000-0x0000023CBF6F2000-memory.dmp
memory/4892-1662-0x0000023CBF690000-0x0000023CBF692000-memory.dmp
memory/4892-1660-0x0000023CBF630000-0x0000023CBF632000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c9f2074a81023775dd918279e488626e |
| SHA1 | 19a0c7439858e11dd43b7e683afaa04a862a8a41 |
| SHA256 | 34469333142007c2d4598929fbbd342170d68612a41b0ea3915f0747c1dca02b |
| SHA512 | 91165d8f9f90953ee17c0071a0c3f60f3649ca99e073b7b0089add712d69acf01719c0f919280ca6b61e38048227da985f1f02dfeac23438a3179770eb3650f1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LICIZUQP\edgecompatviewlist[1].xml
| MD5 | d4fc49dc14f63895d997fa4940f24378 |
| SHA1 | 3efb1437a7c5e46034147cbbc8db017c69d02c31 |
| SHA256 | 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1 |
| SHA512 | cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 890d8371cf2eaee04f8238eb0a5638a9 |
| SHA1 | 588c2d4a23d9d0b6bd54f0f9b19100bfeba8d7bb |
| SHA256 | 85de9e4b55ed2c4fd693587e3936ff589c1486100a567d0b1b84502421d9eb10 |
| SHA512 | 2fc10aa17765ccd6d103d90c31721230bf9269b25a6bd9e749c9e6f6123dcf7d0e3260c2ce3a459b67c1d0c1219ee6609fcabf77564d6a908f35ed9af79cc601 |