Malware Analysis Report

2024-09-11 04:17

Sample ID 240625-gx397sthkd
Target BALDI.exe
SHA256 0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a
Tags
umbral discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a

Threat Level: Known bad

The file BALDI.exe was found to be: Known bad.

Malicious Activity Summary

umbral discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan

UAC bypass

Umbral

Detect Umbral payload

Modifies WinLogon for persistence

Possible privilege escalation attempt

Disables Task Manager via registry modification

Command and Scripting Interpreter: PowerShell

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Sets desktop wallpaper using registry

Drops file in Windows directory

Event Triggered Execution: Accessibility Features

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Opens file in notepad (likely ransom note)

Checks SCSI registry key(s)

Detects videocard installed

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Event Triggered Execution
T1546
Accessibility Features
T1546.008
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Event Triggered Execution
T1546
Accessibility Features
T1546.008
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-25 06:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 06:11

Reported

2024-06-25 06:42

Platform

win7-20240221-en

Max time kernel

1560s

Max time network

1564s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BALDI.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BALDI.exe

"C:\Users\Admin\AppData\Local\Temp\BALDI.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

N/A

Files

memory/2164-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

memory/2164-1-0x0000000000260000-0x0000000000808000-memory.dmp

memory/2164-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2164-3-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

memory/2164-4-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2560-5-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2560-6-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2560-7-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/2164-8-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2416-9-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2416-10-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 06:11

Reported

2024-06-25 06:21

Platform

win10v2004-20240226-en

Max time kernel

548s

Max time network

555s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BALDI.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A

Umbral

stealer umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\windows\system32\takeown.exe N/A
N/A N/A C:\windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\windows\system32\takeown.exe N/A
N/A N/A C:\windows\system32\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\wlp.tmp" C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\ui65.exe C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\logonuiOWR.exe C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe N/A

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A2FEFCD6-AAF7-4B67-BADA-11579A3B07B5} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Umbral.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_misis major v3.zip\Furios\CRACK FURIOS\CRACK FURIOS\KernelLauncher.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5364 wrote to memory of 5396 N/A C:\Windows\System32\ATBroker.exe C:\Windows\System32\osk.exe
PID 5364 wrote to memory of 5396 N/A C:\Windows\System32\ATBroker.exe C:\Windows\System32\osk.exe
PID 5584 wrote to memory of 2036 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 2036 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 3932 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 3932 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 3316 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 3316 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 5096 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 5096 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 1988 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5584 wrote to memory of 1988 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5584 wrote to memory of 4616 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5584 wrote to memory of 4616 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5584 wrote to memory of 4300 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5584 wrote to memory of 4300 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5584 wrote to memory of 5148 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 5148 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5584 wrote to memory of 3172 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5584 wrote to memory of 3172 N/A C:\Users\Admin\Downloads\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4716 wrote to memory of 5036 N/A C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe C:\windows\system32\takeown.exe
PID 4716 wrote to memory of 5036 N/A C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe C:\windows\system32\takeown.exe
PID 4716 wrote to memory of 4348 N/A C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe C:\windows\system32\icacls.exe
PID 4716 wrote to memory of 4348 N/A C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe C:\windows\system32\icacls.exe
PID 4716 wrote to memory of 1808 N/A C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe C:\Windows\System32\shutdown.exe
PID 4716 wrote to memory of 1808 N/A C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe C:\Windows\System32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BALDI.exe

"C:\Users\Admin\AppData\Local\Temp\BALDI.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x244 0x358

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4076 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=752 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5048 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4072 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5552 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5608 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5a44e155hb002h410bhb368h76a7d17218bb

C:\Windows\System32\SystemSettingsBroker.exe

C:\Windows\System32\SystemSettingsBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5784 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\ATBroker.exe

C:\Windows\System32\ATBroker.exe /start osk

C:\Windows\System32\osk.exe

"C:\Windows\System32\osk.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5444 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6196 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6348 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6544 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6352 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6404 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=5360 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6736 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6800 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6424 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7092 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6936 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=7320 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7616 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7772 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7848 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=6432 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7176 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=8032 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=6832 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=6496 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=8212 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=8484 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=8652 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=8704 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=8836 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=9016 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=8464 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=9012 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=8512 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --mojo-platform-channel-handle=8468 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=8180 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9004 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8604 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Temp1_misis major v3.zip\Furios\CRACK FURIOS\CRACK FURIOS\KernelLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_misis major v3.zip\Furios\CRACK FURIOS\CRACK FURIOS\KernelLauncher.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --mojo-platform-channel-handle=8892 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --mojo-platform-channel-handle=6136 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --mojo-platform-channel-handle=8968 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --mojo-platform-channel-handle=9152 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --mojo-platform-channel-handle=9208 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --mojo-platform-channel-handle=9152 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --mojo-platform-channel-handle=8292 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=7980 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9676 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=9752 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9396 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9396 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --mojo-platform-channel-handle=9572 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Users\Admin\Downloads\Umbral.exe

"C:\Users\Admin\Downloads\Umbral.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --mojo-platform-channel-handle=10068 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --mojo-platform-channel-handle=9904 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=10040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=9792 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe

"C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe"

C:\windows\system32\takeown.exe

"C:\windows\system32\takeown.exe" /f C:\

C:\windows\system32\icacls.exe

"C:\windows\system32\icacls.exe" C:\ /granted "Admin":F

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38f9855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.20.12.101:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 101.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 114.66.68.104.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
NL 23.62.61.97:443 www.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 23.62.61.97:443 th.bing.com tcp
NL 23.62.61.194:443 th.bing.com tcp
NL 23.62.61.194:443 th.bing.com tcp
NL 23.62.61.97:443 th.bing.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 th.bing.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 20.190.160.17:443 login.microsoftonline.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 172.64.154.167:443 www2.bing.com tcp
US 8.8.8.8:53 167.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 dl-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 opensea.io udp
US 8.8.8.8:53 opensea.io udp
US 104.18.33.97:443 opensea.io tcp
US 8.8.8.8:53 opensea.io udp
US 8.8.8.8:53 github.com udp
US 104.18.33.97:443 opensea.io tcp
US 8.8.8.8:53 97.33.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.opensea.io udp
US 8.8.8.8:53 api.opensea.io udp
US 8.8.8.8:53 i.seadn.io udp
US 8.8.8.8:53 i.seadn.io udp
US 172.64.154.159:443 api.opensea.io tcp
FR 52.222.201.114:443 i.seadn.io tcp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
US 8.8.8.8:53 static.opensea.io udp
US 8.8.8.8:53 static.opensea.io udp
US 8.8.8.8:53 openseauserdata.com udp
US 8.8.8.8:53 openseauserdata.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 172.64.154.159:443 static.opensea.io tcp
US 104.18.37.39:443 openseauserdata.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 wallets.opensea.io udp
US 8.8.8.8:53 wallets.opensea.io udp
US 8.8.8.8:53 wallets.opensea.io udp
US 8.8.8.8:53 opensea.io udp
US 172.64.154.159:443 opensea.io tcp
US 8.8.8.8:53 159.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 114.201.222.52.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 39.37.18.104.in-addr.arpa udp
US 8.8.8.8:53 o406206.ingest.sentry.io udp
US 8.8.8.8:53 o406206.ingest.sentry.io udp
US 34.120.195.249:443 o406206.ingest.sentry.io tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 wallets.opensea.io udp
US 8.8.8.8:53 opensea.io udp
US 34.120.195.249:443 o406206.ingest.sentry.io udp
US 104.18.33.97:443 opensea.io tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 api.moonpay.com udp
US 8.8.8.8:53 api.moonpay.com udp
US 104.18.33.205:443 api.moonpay.com tcp
US 8.8.8.8:53 api2.amplitude.com udp
US 8.8.8.8:53 api2.amplitude.com udp
US 18.246.200.151:443 api2.amplitude.com tcp
US 18.246.200.151:443 api2.amplitude.com tcp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 205.33.18.104.in-addr.arpa udp
US 18.246.200.151:443 api2.amplitude.com tcp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 bat.bing.com udp
US 8.8.8.8:53 bat.bing.com udp
US 13.107.21.237:443 bat.bing.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 64.233.166.155:443 stats.g.doubleclick.net tcp
BE 64.233.166.155:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 151.200.246.18.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 155.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 104.18.33.97:443 opensea.io tcp
US 8.8.8.8:53 auth.privy.io udp
US 8.8.8.8:53 auth.privy.io udp
US 104.18.20.237:443 auth.privy.io tcp
US 8.8.8.8:53 browser-intake-datadoghq.com udp
US 8.8.8.8:53 browser-intake-datadoghq.com udp
US 8.8.8.8:53 widget.intercom.io udp
US 8.8.8.8:53 widget.intercom.io udp
US 3.233.158.25:443 browser-intake-datadoghq.com tcp
FR 52.222.149.33:443 widget.intercom.io tcp
US 104.18.20.237:443 auth.privy.io tcp
US 8.8.8.8:53 js.intercomcdn.com udp
US 8.8.8.8:53 js.intercomcdn.com udp
FR 3.162.38.70:443 js.intercomcdn.com tcp
FR 3.162.38.70:443 js.intercomcdn.com tcp
US 8.8.8.8:53 auth.privy.io udp
US 8.8.8.8:53 auth.privy.io udp
US 8.8.8.8:53 auth.privy.io udp
US 8.8.8.8:53 wallets.opensea.io udp
US 104.18.20.237:443 auth.privy.io tcp
US 8.8.8.8:53 raw.seadn.io udp
US 8.8.8.8:53 raw.seadn.io udp
US 8.8.8.8:53 237.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 25.158.233.3.in-addr.arpa udp
FR 13.249.9.16:443 raw.seadn.io tcp
US 8.8.8.8:53 33.149.222.52.in-addr.arpa udp
US 8.8.8.8:53 70.38.162.3.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 3.233.158.25:443 browser-intake-datadoghq.com tcp
US 8.8.8.8:53 api-iam.intercom.io udp
US 8.8.8.8:53 api-iam.intercom.io udp
US 52.201.170.14:443 api-iam.intercom.io tcp
US 8.8.8.8:53 16.9.249.13.in-addr.arpa udp
US 8.8.8.8:53 relay.walletconnect.com udp
US 8.8.8.8:53 relay.walletconnect.com udp
DE 3.126.230.177:443 relay.walletconnect.com tcp
US 8.8.8.8:53 nexus-websocket-a.intercom.io udp
US 8.8.8.8:53 nexus-websocket-a.intercom.io udp
FR 3.162.38.70:443 js.intercomcdn.com udp
US 34.237.73.95:443 nexus-websocket-a.intercom.io tcp
US 8.8.8.8:53 verify.walletconnect.com udp
US 8.8.8.8:53 verify.walletconnect.com udp
US 8.8.8.8:53 verify.walletconnect.com udp
US 8.8.8.8:53 wallets.opensea.io udp
DE 18.193.242.160:443 verify.walletconnect.com tcp
US 8.8.8.8:53 14.170.201.52.in-addr.arpa udp
US 8.8.8.8:53 177.230.126.3.in-addr.arpa udp
US 8.8.8.8:53 95.73.237.34.in-addr.arpa udp
US 8.8.8.8:53 160.242.193.18.in-addr.arpa udp
US 8.8.8.8:53 explorer-api.walletconnect.com udp
US 8.8.8.8:53 explorer-api.walletconnect.com udp
US 104.18.27.46:443 explorer-api.walletconnect.com udp
US 8.8.8.8:53 46.27.18.104.in-addr.arpa udp
US 8.8.8.8:53 verify.walletconnect.org udp
US 8.8.8.8:53 verify.walletconnect.org udp
US 8.8.8.8:53 verify.walletconnect.org udp
US 8.8.8.8:53 wallets.opensea.io udp
DE 35.157.210.218:443 verify.walletconnect.org tcp
US 8.8.8.8:53 218.210.157.35.in-addr.arpa udp
US 8.8.8.8:53 www.updatestar.com udp
US 8.8.8.8:53 www.updatestar.com udp
US 8.8.8.8:53 www.updatestar.com udp
FR 91.250.81.8:443 www.updatestar.com tcp
FR 91.250.81.8:443 www.updatestar.com tcp
FR 91.250.81.8:443 www.updatestar.com tcp
US 8.8.8.8:53 oxy.cloud udp
US 8.8.8.8:53 oxy.cloud udp
US 8.8.8.8:53 oxy.cloud udp
RU 185.178.208.145:443 oxy.cloud tcp
RU 185.178.208.145:443 oxy.cloud tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 contextual.media.net udp
US 8.8.8.8:53 contextual.media.net udp
BE 23.55.96.24:443 contextual.media.net tcp
US 8.8.8.8:53 ads.themoneytizer.com udp
US 8.8.8.8:53 ads.themoneytizer.com udp
US 104.22.63.227:443 ads.themoneytizer.com tcp
US 104.22.63.227:443 ads.themoneytizer.com tcp
US 8.8.8.8:53 smatr.net udp
US 8.8.8.8:53 smatr.net udp
US 8.8.8.8:53 cdn.adlook.me udp
US 8.8.8.8:53 cdn.adlook.me udp
NL 88.208.46.222:443 smatr.net tcp
US 8.8.8.8:53 lg3.media.net udp
US 8.8.8.8:53 lg3.media.net udp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 yastatic.net udp
RU 193.17.93.93:443 cdn.adlook.me tcp
US 8.8.8.8:53 145.208.178.185.in-addr.arpa udp
US 8.8.8.8:53 24.96.55.23.in-addr.arpa udp
RU 178.154.131.215:443 yastatic.net tcp
US 8.8.8.8:53 227.63.22.104.in-addr.arpa udp
RU 178.154.131.215:443 yastatic.net tcp
SE 23.43.108.23:443 lg3.media.net tcp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 oxy.cloud udp
DE 51.89.9.253:443 onetag-sys.com tcp
US 8.8.8.8:53 cdn.themoneytizer.fr udp
US 8.8.8.8:53 cdn.themoneytizer.fr udp
US 8.8.8.8:53 ced.sascdn.com udp
US 8.8.8.8:53 ced.sascdn.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 secure.quantserve.com udp
US 8.8.8.8:53 secure.quantserve.com udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 p.cpx.to udp
US 8.8.8.8:53 adtrack.adleadevent.com udp
US 8.8.8.8:53 adtrack.adleadevent.com udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 ogffa.net udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 counter.yadro.ru udp
US 104.21.40.15:443 cdn.themoneytizer.fr udp
IE 52.49.242.239:443 p.cpx.to tcp
BE 23.14.90.73:443 ced.sascdn.com tcp
DE 91.228.74.166:443 secure.quantserve.com tcp
IE 63.34.213.143:443 adtrack.adleadevent.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
RU 88.212.202.52:443 counter.yadro.ru tcp
NL 88.208.46.222:443 ogffa.net tcp
US 8.8.8.8:53 system-notify.app udp
US 8.8.8.8:53 system-notify.app udp
DE 178.63.248.57:443 system-notify.app tcp
US 8.8.8.8:53 cdn.adlook.me udp
US 8.8.8.8:53 cdn.adlook.me udp
US 8.8.8.8:53 cdn.adlook.me udp
US 8.8.8.8:53 oxy.cloud udp
RU 193.17.93.93:443 cdn.adlook.me tcp
US 8.8.8.8:53 ads.adlook.me udp
US 8.8.8.8:53 ads.adlook.me udp
US 8.8.8.8:53 csm.nl3.eu.criteo.net udp
US 8.8.8.8:53 csm.nl3.eu.criteo.net udp
RU 46.243.182.88:443 ads.adlook.me tcp
NL 178.250.1.25:443 csm.nl3.eu.criteo.net tcp
US 8.8.8.8:53 rules.quantcount.com udp
US 8.8.8.8:53 rules.quantcount.com udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 222.46.208.88.in-addr.arpa udp
US 8.8.8.8:53 93.93.17.193.in-addr.arpa udp
US 8.8.8.8:53 215.131.154.178.in-addr.arpa udp
US 8.8.8.8:53 23.108.43.23.in-addr.arpa udp
US 8.8.8.8:53 253.9.89.51.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 15.40.21.104.in-addr.arpa udp
US 8.8.8.8:53 166.74.228.91.in-addr.arpa udp
US 8.8.8.8:53 11.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 239.242.49.52.in-addr.arpa udp
US 8.8.8.8:53 143.213.34.63.in-addr.arpa udp
US 8.8.8.8:53 52.202.212.88.in-addr.arpa udp
US 8.8.8.8:53 57.248.63.178.in-addr.arpa udp
US 8.8.8.8:53 uidsync.net udp
NL 185.89.210.244:443 ib.adnxs.com tcp
US 52.223.40.198:443 match.adsrvr.org tcp
FR 18.244.28.87:443 rules.quantcount.com tcp
US 104.22.53.86:443 cdn.id5-sync.com tcp
DE 157.90.33.68:443 system-notify.app tcp
US 8.8.8.8:53 pixel.quantserve.com udp
US 8.8.8.8:53 pixel.quantserve.com udp
DE 157.90.33.68:443 system-notify.app tcp
US 8.8.8.8:53 cdn-a.adlook.me udp
US 8.8.8.8:53 cdn-a.adlook.me udp
US 8.8.8.8:53 utraff.com udp
US 8.8.8.8:53 utraff.com udp
RU 46.243.182.100:443 cdn-a.adlook.me tcp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 oxy.cloud udp
US 104.26.6.189:443 utraff.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 8.8.8.8:53 s.cpx.to udp
US 8.8.8.8:53 s.cpx.to udp
NL 178.250.1.11:443 gum.criteo.com tcp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 sync.dmp.otm-r.com udp
US 8.8.8.8:53 sync.dmp.otm-r.com udp
IE 52.49.242.239:443 s.cpx.to tcp
DE 195.201.152.104:443 sync.dmp.otm-r.com tcp
RU 93.158.134.119:443 mc.yandex.ru tcp
RU 93.158.134.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 sync.bumlam.com udp
US 8.8.8.8:53 sync.bumlam.com udp
US 8.8.8.8:53 match.new-programmatic.com udp
US 8.8.8.8:53 match.new-programmatic.com udp
US 8.8.8.8:53 ads.betweendigital.com udp
US 8.8.8.8:53 ads.betweendigital.com udp
US 8.8.8.8:53 www.acint.net udp
US 8.8.8.8:53 www.acint.net udp
DE 195.201.152.104:443 sync.dmp.otm-r.com tcp
US 8.8.8.8:53 exchange.buzzoola.com udp
US 8.8.8.8:53 px.adhigh.net udp
US 8.8.8.8:53 px.adhigh.net udp
US 8.8.8.8:53 25.1.250.178.in-addr.arpa udp
DE 31.172.81.146:443 sync.bumlam.com tcp
US 8.8.8.8:53 88.182.243.46.in-addr.arpa udp
RU 217.65.2.150:443 match.new-programmatic.com tcp
US 8.8.8.8:53 198.40.223.52.in-addr.arpa udp
NL 188.42.34.65:443 ads.betweendigital.com tcp
US 8.8.8.8:53 244.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 87.28.244.18.in-addr.arpa udp
US 8.8.8.8:53 100.182.243.46.in-addr.arpa udp
RU 193.3.184.131:443 www.acint.net tcp
US 8.8.8.8:53 68.33.90.157.in-addr.arpa udp
US 8.8.8.8:53 86.53.22.104.in-addr.arpa udp
US 8.8.8.8:53 189.6.26.104.in-addr.arpa udp
DE 167.235.7.148:443 exchange.buzzoola.com tcp
RU 193.232.148.130:443 px.adhigh.net tcp
US 8.8.8.8:53 sync.opendsp.ru udp
US 8.8.8.8:53 sync.opendsp.ru udp
US 8.8.8.8:53 sync.programmatica.com udp
US 8.8.8.8:53 sync.programmatica.com udp
US 8.8.8.8:53 kimberlite.io udp
US 8.8.8.8:53 kimberlite.io udp
US 8.8.8.8:53 ssp.al-adtech.com udp
US 8.8.8.8:53 ssp.al-adtech.com udp
RU 158.160.128.78:443 sync.programmatica.com tcp
RU 158.160.128.78:443 sync.programmatica.com tcp
RU 82.148.20.186:443 sync.opendsp.ru tcp
RU 82.148.20.186:443 sync.opendsp.ru tcp
RU 217.199.220.43:443 kimberlite.io tcp
RU 217.199.220.43:443 kimberlite.io tcp
RU 45.139.25.124:443 ssp.al-adtech.com tcp
RU 82.148.20.186:443 sync.opendsp.ru tcp
US 8.8.8.8:53 ssp-rtb.sape.ru udp
US 8.8.8.8:53 ssp-rtb.sape.ru udp
RU 193.3.184.216:443 ssp-rtb.sape.ru tcp
RU 193.3.184.216:443 ssp-rtb.sape.ru tcp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
FR 178.250.7.13:443 dnacdn.net tcp
FR 185.235.86.3:443 gem.gbc.criteo.com tcp
FR 185.235.86.14:443 gem.gbc.criteo.com tcp
RU 45.139.25.124:443 ssp.al-adtech.com tcp
US 8.8.8.8:53 redirect.frontend.weborama.fr udp
US 8.8.8.8:53 sm.rtb.mts.ru udp
US 8.8.8.8:53 sm.rtb.mts.ru udp
RU 217.66.147.40:443 sm.rtb.mts.ru tcp
US 35.190.24.218:443 redirect.frontend.weborama.fr tcp
US 8.8.8.8:53 nr.bidderstack.com udp
US 8.8.8.8:53 nr.bidderstack.com udp
US 8.8.8.8:53 videotarget-sync.rutarget.ru udp
US 8.8.8.8:53 videotarget-sync.rutarget.ru udp
RU 217.66.147.40:443 sm.rtb.mts.ru tcp
US 8.8.8.8:53 cs.agency2.ru udp
US 8.8.8.8:53 cs.agency2.ru udp
DE 162.55.144.211:443 nr.bidderstack.com tcp
RU 23.105.255.196:443 cs.agency2.ru tcp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
US 8.8.8.8:53 acint.net udp
US 8.8.8.8:53 acint.net udp
RU 188.72.109.103:443 videotarget-sync.rutarget.ru tcp
DE 162.19.138.117:443 lb.eu-1-id5-sync.com tcp
DE 162.19.138.82:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 a.utraff.com udp
US 8.8.8.8:53 a.utraff.com udp
US 8.8.8.8:53 sync.upravel.com udp
US 8.8.8.8:53 sync.upravel.com udp
DE 148.251.236.115:443 sync.upravel.com tcp
US 8.8.8.8:53 sync.gonet-ads.com udp
US 8.8.8.8:53 sync.gonet-ads.com udp
US 8.8.8.8:53 104.152.201.195.in-addr.arpa udp
NL 23.109.14.90:443 sync.gonet-ads.com tcp
US 8.8.8.8:53 ad.mail.ru udp
US 8.8.8.8:53 ad.mail.ru udp
US 8.8.8.8:53 vma.mts.ru udp
US 8.8.8.8:53 vma.mts.ru udp
US 8.8.8.8:53 119.134.158.93.in-addr.arpa udp
US 8.8.8.8:53 146.81.172.31.in-addr.arpa udp
US 8.8.8.8:53 65.34.42.188.in-addr.arpa udp
US 8.8.8.8:53 148.7.235.167.in-addr.arpa udp
US 8.8.8.8:53 150.2.65.217.in-addr.arpa udp
US 8.8.8.8:53 131.184.3.193.in-addr.arpa udp
US 8.8.8.8:53 130.148.232.193.in-addr.arpa udp
US 8.8.8.8:53 78.128.160.158.in-addr.arpa udp
RU 95.163.41.56:443 ad.mail.ru tcp
RU 217.66.147.37:443 vma.mts.ru tcp
RU 217.66.147.37:443 vma.mts.ru tcp
US 8.8.8.8:53 rtb.com.ru udp
US 8.8.8.8:53 rtb.com.ru udp
US 8.8.8.8:53 x01.aidata.io udp
US 8.8.8.8:53 x01.aidata.io udp
US 8.8.8.8:53 186.20.148.82.in-addr.arpa udp
US 8.8.8.8:53 7384320938474194377-otm.ops.beeline.ru udp
US 8.8.8.8:53 7384320938474194377-otm.ops.beeline.ru udp
RU 83.222.114.190:443 rtb.com.ru tcp
US 8.8.8.8:53 124.25.139.45.in-addr.arpa udp
US 8.8.8.8:53 13.7.250.178.in-addr.arpa udp
US 8.8.8.8:53 3.86.235.185.in-addr.arpa udp
US 8.8.8.8:53 14.86.235.185.in-addr.arpa udp
US 8.8.8.8:53 218.24.190.35.in-addr.arpa udp
US 8.8.8.8:53 211.144.55.162.in-addr.arpa udp
US 8.8.8.8:53 40.147.66.217.in-addr.arpa udp
RU 217.66.147.37:443 vma.mts.ru tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 8.8.8.8:53 rtb.moe.video udp
US 8.8.8.8:53 rtb.moe.video udp
US 8.8.8.8:53 x01.aidata.io udp
US 8.8.8.8:53 sync.dsp.solta.io udp
US 8.8.8.8:53 sync.dsp.solta.io udp
RU 188.124.47.43:443 rtb.moe.video tcp
US 8.8.8.8:53 7384320938474194377-otm.ops.beeline.ru udp
US 8.8.8.8:53 7384320938474194377-otm.ops.beeline.ru udp
RU 89.108.119.28:443 x01.aidata.io tcp
RU 83.222.114.190:443 rtb.com.ru tcp
RU 217.199.220.72:443 sync.dsp.solta.io tcp
US 8.8.8.8:53 download.oxy.cloud udp
US 8.8.8.8:53 download.oxy.cloud udp
US 8.8.8.8:53 a.lotus-dsp.ru udp
US 8.8.8.8:53 a.lotus-dsp.ru udp
RU 37.9.245.57:443 7384320938474194377-otm.ops.beeline.ru tcp
RU 185.178.208.145:443 download.oxy.cloud tcp
US 172.67.140.221:443 a.lotus-dsp.ru udp
US 8.8.8.8:53 an.yandex.ru udp
US 8.8.8.8:53 an.yandex.ru udp
US 8.8.8.8:53 dmg.digitaltarget.ru udp
US 8.8.8.8:53 dmg.digitaltarget.ru udp
US 8.8.8.8:53 sync.otm-r.com udp
US 8.8.8.8:53 sync.otm-r.com udp
RU 87.250.250.90:443 an.yandex.ru tcp
US 8.8.8.8:53 sp.ohmy.bid udp
US 8.8.8.8:53 sp.ohmy.bid udp
RU 185.15.175.144:443 dmg.digitaltarget.ru tcp
RU 194.55.244.195:443 sync.otm-r.com tcp
DE 167.235.14.51:443 sp.ohmy.bid tcp
US 8.8.8.8:53 sync.rambler.ru udp
US 8.8.8.8:53 sync.rambler.ru udp
US 8.8.8.8:53 dsp.qtarget.tech udp
US 8.8.8.8:53 dsp.qtarget.tech udp
RU 87.242.127.163:443 sync.rambler.ru tcp
RU 95.163.92.179:443 dsp.qtarget.tech tcp
US 8.8.8.8:53 s.suprion.ru udp
US 8.8.8.8:53 s.suprion.ru udp
RU 213.248.44.211:443 s.suprion.ru tcp
US 8.8.8.8:53 196.255.105.23.in-addr.arpa udp
US 8.8.8.8:53 82.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 103.109.72.188.in-addr.arpa udp
US 8.8.8.8:53 115.236.251.148.in-addr.arpa udp
US 8.8.8.8:53 90.14.109.23.in-addr.arpa udp
US 8.8.8.8:53 37.147.66.217.in-addr.arpa udp
US 8.8.8.8:53 56.41.163.95.in-addr.arpa udp
US 8.8.8.8:53 28.119.108.89.in-addr.arpa udp
US 8.8.8.8:53 43.47.124.188.in-addr.arpa udp
US 8.8.8.8:53 221.140.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.220.199.217.in-addr.arpa udp
US 8.8.8.8:53 57.245.9.37.in-addr.arpa udp
US 8.8.8.8:53 117.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 144.175.15.185.in-addr.arpa udp
US 8.8.8.8:53 51.14.235.167.in-addr.arpa udp
US 8.8.8.8:53 90.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 195.244.55.194.in-addr.arpa udp
US 8.8.8.8:53 redirect-frontend.weborama-tech.ru udp
RU 178.154.231.214:443 redirect-frontend.weborama-tech.ru tcp
US 8.8.8.8:53 cs.alfasense.com udp
US 8.8.8.8:53 cs.alfasense.com udp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 privacy-cs.mail.ru udp
US 8.8.8.8:53 privacy-cs.mail.ru udp
RU 23.111.100.20:443 cs.alfasense.com tcp
RU 5.255.255.77:443 yandex.ru tcp
US 8.8.8.8:53 dm-eu.hybrid.ai udp
US 8.8.8.8:53 dm-eu.hybrid.ai udp
RU 95.163.52.89:443 privacy-cs.mail.ru tcp
NL 37.230.131.22:443 dm-eu.hybrid.ai tcp
US 8.8.8.8:53 ev.adriver.ru udp
US 8.8.8.8:53 ev.adriver.ru udp
US 8.8.8.8:53 match.ohmy.bid udp
US 8.8.8.8:53 match.ohmy.bid udp
RU 195.209.108.55:443 ev.adriver.ru tcp
DE 167.235.9.235:443 match.ohmy.bid tcp
DE 167.235.9.235:443 match.ohmy.bid tcp
RU 5.255.255.77:443 yandex.ru tcp
US 8.8.8.8:53 stat.adlook.me udp
RU 95.163.52.89:443 privacy-cs.mail.ru tcp
RU 78.140.242.103:443 stat.adlook.me tcp
RU 78.140.242.103:443 stat.adlook.me tcp
RU 78.140.242.103:443 stat.adlook.me tcp
US 8.8.8.8:53 7384320938346374329.sync.otm-r.com udp
US 8.8.8.8:53 7384320938346374329.sync.otm-r.com udp
US 8.8.8.8:53 163.127.242.87.in-addr.arpa udp
US 8.8.8.8:53 179.92.163.95.in-addr.arpa udp
US 8.8.8.8:53 211.44.248.213.in-addr.arpa udp
US 8.8.8.8:53 20.100.111.23.in-addr.arpa udp
US 8.8.8.8:53 214.231.154.178.in-addr.arpa udp
US 8.8.8.8:53 55.108.209.195.in-addr.arpa udp
US 8.8.8.8:53 77.255.255.5.in-addr.arpa udp
US 8.8.8.8:53 22.131.230.37.in-addr.arpa udp
US 8.8.8.8:53 235.9.235.167.in-addr.arpa udp
US 8.8.8.8:53 89.52.163.95.in-addr.arpa udp
US 8.8.8.8:53 103.242.140.78.in-addr.arpa udp
RU 194.55.244.195:443 7384320938346374329.sync.otm-r.com tcp
RU 95.163.41.56:443 ad.mail.ru tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 104.26.6.189:443 a.utraff.com tcp
US 8.8.8.8:53 weborama.utraff.com udp
US 8.8.8.8:53 weborama.utraff.com udp
US 8.8.8.8:53 oxy.cloud udp
US 172.67.74.180:443 weborama.utraff.com tcp
US 8.8.8.8:53 a.adsource.tech udp
US 8.8.8.8:53 a.adsource.tech udp
US 8.8.8.8:53 s.uuidksinc.net udp
US 8.8.8.8:53 a.udsp.io udp
US 8.8.8.8:53 a.udsp.io udp
RU 217.65.2.150:443 match.new-programmatic.com tcp
US 8.8.8.8:53 adx.com.ru udp
US 8.8.8.8:53 adx.com.ru udp
RU 217.66.147.40:443 vma.mts.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
NL 31.220.27.155:443 s.uuidksinc.net tcp
RU 83.222.105.114:443 adx.com.ru tcp
US 104.21.53.176:443 a.udsp.io udp
US 104.21.37.210:443 a.adsource.tech udp
US 8.8.8.8:53 a.adiam.tech udp
US 8.8.8.8:53 a.adiam.tech udp
US 104.21.58.49:443 a.adiam.tech udp
US 8.8.8.8:53 instreamvideo.ru udp
US 8.8.8.8:53 instreamvideo.ru udp
RU 87.245.200.230:443 instreamvideo.ru tcp
US 8.8.8.8:53 cstatic.weborama.fr udp
US 8.8.8.8:53 cstatic.weborama.fr udp
US 8.8.8.8:53 pixel.dsp.onetarget.ru udp
US 8.8.8.8:53 pixel.dsp.onetarget.ru udp
US 152.199.22.228:443 cstatic.weborama.fr tcp
RU 185.15.175.144:443 dmg.digitaltarget.ru tcp
RU 130.193.53.230:443 pixel.dsp.onetarget.ru tcp
US 35.190.24.218:443 redirect.frontend.weborama.fr udp
US 152.199.22.228:443 cstatic.weborama.fr tcp
US 8.8.8.8:53 cstatic.weborama.fr udp
US 8.8.8.8:53 weborama.utraff.com udp
US 8.8.8.8:53 180.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 176.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 210.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 155.27.220.31.in-addr.arpa udp
US 8.8.8.8:53 49.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 114.105.222.83.in-addr.arpa udp
US 8.8.8.8:53 230.200.245.87.in-addr.arpa udp
US 8.8.8.8:53 228.22.199.152.in-addr.arpa udp
US 8.8.8.8:53 230.53.193.130.in-addr.arpa udp
US 8.8.8.8:53 edge-http.microsoft.com udp
US 8.8.8.8:53 edge-http.microsoft.com udp
US 13.107.6.158:80 edge-http.microsoft.com tcp
US 52.201.170.14:443 api-iam.intercom.io tcp
NL 88.208.46.222:443 ogffa.net tcp
US 8.8.8.8:53 download.oxy.cloud udp
US 8.8.8.8:53 oxy.cloud udp
RU 185.178.208.145:443 oxy.cloud tcp
US 8.8.8.8:53 csm.nl3.eu.criteo.net udp
US 8.8.8.8:53 csm.nl3.eu.criteo.net udp
NL 178.250.1.25:443 csm.nl3.eu.criteo.net tcp
SE 23.43.108.23:443 lg3.media.net udp
DE 51.89.9.253:443 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 download.oxy.cloud udp
DE 178.63.248.57:443 system-notify.app tcp
US 8.8.8.8:53 cdn.adlook.me udp
US 8.8.8.8:53 download.oxy.cloud udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 download.oxy.cloud udp
NL 185.89.210.244:443 ib.adnxs.com tcp
DE 157.90.33.68:443 system-notify.app tcp
DE 157.90.33.68:443 system-notify.app tcp
NL 178.250.1.11:443 gum.criteo.com tcp
RU 178.154.131.215:443 yastatic.net tcp
DE 162.19.138.117:443 lb.eu-1-id5-sync.com tcp
DE 162.19.138.82:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 s1.oxy.cloud udp
US 8.8.8.8:53 s1.oxy.cloud udp
RU 185.178.208.145:443 s1.oxy.cloud tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 app-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 app-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 tmzr.themoneytizer.fr udp
US 8.8.8.8:53 tmzr.themoneytizer.fr udp
NL 178.250.1.11:443 gum.criteo.com tcp
DE 162.19.138.117:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 lexicon.33across.com udp
US 8.8.8.8:53 lexicon.33across.com udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 id.crwdcntrl.net udp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
US 35.244.193.51:443 lexicon.33across.com tcp
IE 63.33.74.9:443 id.crwdcntrl.net tcp
NL 178.250.1.11:443 gum.criteo.com tcp
DE 162.19.138.82:443 lb.eu-1-id5-sync.com tcp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
DE 162.19.138.117:443 lb.eu-1-id5-sync.com tcp
RU 83.222.114.189:443 rtb.com.ru tcp
RU 83.222.114.189:443 rtb.com.ru tcp
US 8.8.8.8:53 227.210.32.178.in-addr.arpa udp
US 8.8.8.8:53 51.193.244.35.in-addr.arpa udp
US 8.8.8.8:53 9.74.33.63.in-addr.arpa udp
RU 83.222.114.188:443 rtb.com.ru tcp
RU 83.222.114.188:443 rtb.com.ru tcp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
NL 23.62.61.155:443 www.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 23.62.61.194:443 th.bing.com udp
NL 23.62.61.194:443 th.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
RU 83.222.114.187:443 rtb.com.ru tcp
RU 83.222.114.187:443 rtb.com.ru tcp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
RU 83.222.114.186:443 rtb.com.ru tcp
RU 83.222.114.186:443 rtb.com.ru tcp
NL 23.62.61.194:443 www.bing.com udp
NL 23.62.61.155:443 www.bing.com udp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
FR 178.32.210.227:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 web.telegram.org udp
US 8.8.8.8:53 web.telegram.org udp
US 8.8.8.8:53 web.telegram.org udp
NL 149.154.167.99:443 web.telegram.org tcp
NL 149.154.167.99:443 web.telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 web.telegram.org udp
US 8.8.8.8:53 web.telegram.org udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 telegram.me udp
US 8.8.8.8:53 telegram.me udp
NL 149.154.167.99:443 telegram.me tcp
NL 149.154.167.99:443 telegram.me tcp
US 172.64.154.167:443 www2.bing.com udp
US 8.8.8.8:53 zws2.web.telegram.org udp
US 8.8.8.8:53 zws2.web.telegram.org udp
NL 149.154.167.99:443 zws2.web.telegram.org tcp
US 8.8.8.8:53 zws2-1.web.telegram.org udp
US 8.8.8.8:53 zws2-1.web.telegram.org udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 149.154.167.99:443 zws2-1.web.telegram.org tcp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com udp
NL 149.154.167.99:443 zws2-1.web.telegram.org tcp
US 8.8.8.8:53 web.telegram.org udp
US 8.8.8.8:53 web.telegram.org udp
US 8.8.8.8:53 zws5.web.telegram.org udp
US 8.8.8.8:53 zws5.web.telegram.org udp
US 8.8.8.8:53 zws5.web.telegram.org udp
US 8.8.8.8:53 zws1.web.telegram.org udp
US 8.8.8.8:53 zws1.web.telegram.org udp
SG 149.154.170.200:443 zws5.web.telegram.org tcp
US 8.8.8.8:53 zws1.web.telegram.org udp
US 8.8.8.8:53 zws1.web.telegram.org udp
US 149.154.174.200:443 zws1.web.telegram.org tcp
NL 149.154.167.99:443 web.telegram.org tcp
US 8.8.8.8:53 200.174.154.149.in-addr.arpa udp
US 8.8.8.8:53 200.170.154.149.in-addr.arpa udp
NL 149.154.167.99:443 web.telegram.org tcp
NL 149.154.167.99:443 web.telegram.org tcp
NL 149.154.167.99:443 web.telegram.org tcp
US 8.8.8.8:53 zws4.web.telegram.org udp
US 8.8.8.8:53 zws4.web.telegram.org udp
NL 149.154.167.99:443 zws4.web.telegram.org tcp
SG 149.154.170.200:443 zws5.web.telegram.org tcp
SG 149.154.170.200:443 zws5.web.telegram.org tcp
US 8.8.8.8:53 zws2-1.web.telegram.org udp
US 8.8.8.8:53 zws2-1.web.telegram.org udp
NL 149.154.167.99:443 zws2-1.web.telegram.org tcp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 ww1097.smartadserver.com udp
FR 178.32.210.226:443 ww1097.smartadserver.com tcp
FR 178.32.210.226:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 226.210.32.178.in-addr.arpa udp
US 8.8.8.8:53 zws2.web.telegram.org udp
US 8.8.8.8:53 zws2.web.telegram.org udp
NL 149.154.167.99:443 zws2.web.telegram.org tcp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 app-edge.smartscreen.microsoft.com tcp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 zws2-1.web.telegram.org udp
US 8.8.8.8:53 zws2-1.web.telegram.org udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.99:443 zws2-1.web.telegram.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 ww1097.smartadserver.com udp
US 8.8.8.8:53 ww1097.smartadserver.com udp
FR 51.178.195.209:443 ww1097.smartadserver.com tcp
FR 51.178.195.209:443 ww1097.smartadserver.com tcp
US 8.8.8.8:53 209.195.178.51.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 telegram.me udp
US 8.8.8.8:53 telegram.me udp
US 8.8.8.8:53 zws2.web.telegram.org udp
US 8.8.8.8:53 zws2.web.telegram.org udp
NL 149.154.167.99:443 zws2.web.telegram.org tcp
NL 149.154.167.99:443 zws2.web.telegram.org tcp
NL 23.62.61.155:443 www.bing.com udp

Files

memory/864-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

memory/864-1-0x0000000000F90000-0x0000000001538000-memory.dmp

memory/864-2-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

memory/864-3-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

memory/864-4-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

memory/864-5-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

memory/2964-8-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-7-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-6-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-13-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-18-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-17-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-16-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-15-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-14-0x000001C706790000-0x000001C706791000-memory.dmp

memory/2964-12-0x000001C706790000-0x000001C706791000-memory.dmp

memory/4720-20-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/4720-21-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

memory/4720-19-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/4720-26-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/4720-27-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/4720-28-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/4720-29-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/4720-30-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/4720-31-0x000001D3C9360000-0x000001D3C9361000-memory.dmp

memory/5584-36-0x000001FAC6EE0000-0x000001FAC6F20000-memory.dmp

memory/2036-42-0x00000246E1450000-0x00000246E1472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kk2s1lxe.let.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

memory/5584-61-0x000001FAE1690000-0x000001FAE1706000-memory.dmp

memory/5584-62-0x000001FAE1610000-0x000001FAE1660000-memory.dmp

memory/5584-63-0x000001FAE14A0000-0x000001FAE14BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 efe05055dc30f1da03bd1653594f8b0a
SHA1 8650a67ec9d1b8eed7caa4e4c86ebb8531bc7ba2
SHA256 10b3d946f07601b28c5cd6ee36fd0fffb41f3d96094a478d088ce30ebf9a694d
SHA512 5096856b34336cafbd2ee4dc4709bfa39c8794d8fc42777a460b79d52482b699013f237dfee2ecaf2b21487cc933b807bc5bad9b81f7070ba0dc4f6efcfa2f36

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7164c3d7c57ebbaec233482f2e1cc1f1
SHA1 a767f48a2a10c216470d0782100828f0bed91579
SHA256 65ca843513f0f6ee03ae9b357fd6fea801a17ffe23c8a04777f8f06a5f0206ae
SHA512 bc09ee737727408fa5a969a6eb2be0be83d521e4f3f6c0567e4caa28f09de2794d413fbef52a5a7243fb49005d69ab56052ce417440d07beadbc6684cb362951

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

MD5 4c8fa14eeeeda6fe76a08d14e08bf756
SHA1 30003b6798090ec74eb477bbed88e086f8552976
SHA256 7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512 116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

memory/5584-99-0x000001FAE1660000-0x000001FAE1672000-memory.dmp

memory/5584-98-0x000001FAE14C0000-0x000001FAE14CA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6b6fd491e63e43bb85df978ae75c74f
SHA1 5d5bcdc539420f7a1cf9531ddd1b3ea13d4ac48c
SHA256 b3d0ec5df3bf5ad44ab09cab8c9cb321f1cb314981720890cab3a652031a7c6b
SHA512 711dadc96bacb79742235e821a16454177d4ca547cbb653723ae9036ecdbcb719b530cd04e9fb40fd6a783f4445d5618baa2232ee6e7baf8ee85f081f154f34c

memory/4716-116-0x0000000000BB0000-0x00000000021B4000-memory.dmp