Analysis Overview
Threat Level: Likely malicious
The file http://roblox.com was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Downloads MZ/PE file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
NTFS ADS
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-01 11:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-01 11:55
Reported
2024-07-01 11:57
Platform
win11-20240611-en
Max time kernel
66s
Max time network
70s
Command Line
Signatures
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\uxinit.dll.backup | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| File created | C:\Windows\System32\uxinit.dll.new | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| File opened for modification | C:\Windows\system32\uxinit.dll.new | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| File created | C:\Windows\System32\themeui.dll.backup | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| File opened for modification | C:\Windows\System32\themeui.dll.backup | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| File created | C:\Windows\System32\themeui.dll.new | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| File opened for modification | C:\Windows\system32\themeui.dll.new | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://roblox.com"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://roblox.com
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.0.664898366\1330319826" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1792 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ebd1f7d-68a1-441e-90d8-60b23e2dca14} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 1892 21036f0f758 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.1.502433669\514594074" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {310e0614-3f61-41c5-92a8-c57efa84c6f8} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 2440 2102a285658 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.2.980968536\1049228978" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 3124 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6471541-7f4e-4cd5-a8e7-6656eaed7c4c} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 2836 21035f91958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.3.1974499618\1038457118" -childID 2 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fba848c4-1fbf-4519-8d88-0188e4b6565e} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 3716 2102a276e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.4.1206523712\1551427079" -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f2a1e01-900b-4a23-9646-3d1bf19c95fa} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5252 2103efc9858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.5.1193186863\1559860628" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 5436 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36e8fc9c-dde7-45e0-85a9-0a9c184ebe16} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 4820 21037889858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.6.1668665454\1247371789" -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 2904 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a58521f2-a5f1-44a8-94df-ed40bbfc41ab} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5528 2103e0da158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.7.2126728635\76219691" -childID 6 -isForBrowser -prefsHandle 5628 -prefMapHandle 5840 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e20f804-170d-470d-9061-7ee8dd2da7c2} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5848 2103fa04758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.8.534418262\138322676" -childID 7 -isForBrowser -prefsHandle 5132 -prefMapHandle 5216 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42ffbf07-b04c-48db-b49e-b830326725b9} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 5076 2103a20e758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3784.9.2138354627\643815865" -childID 8 -isForBrowser -prefsHandle 3660 -prefMapHandle 3680 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b51df935-918f-4f0a-bb90-d9b127ab5065} 3784 "\\.\pipe\gecko-crash-server-pipe.3784" 3652 2103f570558 tab
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe
"C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a25055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roblox.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| FR | 128.116.122.4:80 | roblox.com | tcp |
| FR | 128.116.122.4:80 | roblox.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| FR | 128.116.122.4:443 | roblox.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 44.242.121.21:443 | shavar.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | tcp |
| N/A | 127.0.0.1:49742 | tcp | |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | udp |
| N/A | 127.0.0.1:49750 | tcp | |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 18.245.199.73:443 | css.rbxcdn.com | tcp |
| US | 18.245.199.73:443 | css.rbxcdn.com | tcp |
| US | 18.245.199.73:443 | css.rbxcdn.com | tcp |
| US | 18.245.199.73:443 | css.rbxcdn.com | tcp |
| US | 18.245.199.73:443 | css.rbxcdn.com | tcp |
| US | 18.245.199.73:443 | css.rbxcdn.com | tcp |
| BE | 23.14.90.81:443 | static.rbxcdn.com | tcp |
| GB | 18.244.155.18:443 | roblox-api.arkoselabs.com | tcp |
| GB | 18.245.253.103:443 | dw04ej0wrfjel.cloudfront.net | tcp |
| GB | 18.245.253.103:443 | dw04ej0wrfjel.cloudfront.net | tcp |
| GB | 18.245.253.103:443 | dw04ej0wrfjel.cloudfront.net | tcp |
| GB | 18.245.253.103:443 | dw04ej0wrfjel.cloudfront.net | tcp |
| GB | 18.245.253.103:443 | dw04ej0wrfjel.cloudfront.net | tcp |
| GB | 18.245.253.103:443 | dw04ej0wrfjel.cloudfront.net | tcp |
| FR | 128.116.122.4:443 | roblox.com | udp |
| GB | 18.244.155.18:443 | roblox-api.arkoselabs.com | udp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | udp |
| BE | 23.14.90.88:443 | apis.rbxcdn.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | udp |
| BE | 23.14.90.104:443 | images.rbxcdn.com | tcp |
| BE | 23.14.90.104:443 | images.rbxcdn.com | tcp |
| BE | 23.14.90.104:443 | images.rbxcdn.com | tcp |
| BE | 23.14.90.104:443 | images.rbxcdn.com | tcp |
| BE | 23.14.90.104:443 | images.rbxcdn.com | tcp |
| BE | 23.14.90.104:443 | images.rbxcdn.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | udp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | udp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | tcp |
| GB | 128.116.119.4:443 | ecsv2.roblox.com | udp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 20.223.54.233:443 | links.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| DE | 130.61.243.57:443 | mhoefs.eu | tcp |
| DE | 130.61.243.57:443 | mhoefs.eu | tcp |
| DE | 130.61.243.57:443 | mhoefs.eu | tcp |
| DE | 130.61.243.57:443 | mhoefs.eu | tcp |
| DE | 130.61.243.57:443 | mhoefs.eu | tcp |
| DE | 130.61.243.57:443 | mhoefs.eu | tcp |
| DE | 130.61.243.57:443 | mhoefs.eu | tcp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 6e45549491180240cd3c6ecdaaaa3695 |
| SHA1 | 438c7b5509163d66ef175bd27558ce7e5168f654 |
| SHA256 | 0da1e1218fc201c26fc437a2e5a3735132d2e44c143fa03a9a14f679ac6a6c54 |
| SHA512 | e5790bb5e0306fa08b4862534149c8637aeaff5b802fb62479c6bfd18792a326104dde9edca101213321d0232866f8a8c5187389f2b7d19f6840e5f2f6341c62 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
| MD5 | c66090e24dba59e15c6138d845e2eab1 |
| SHA1 | af2ee6fbf5e3916456c5aa709a7f51c40b234200 |
| SHA256 | 665fca5485f3782472150a9478c85bdd21c0601d9eb75c26aba363b97d3b8761 |
| SHA512 | 6cfcad15291454f3e13a9f5e619a8d5ae50282c7d2d25e961cc77b6906b4483284372ed65451aee5467dfd76029985644cd4d8e407f116e67664fcaf628f76fe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | cc2b11158339e0822e764b3112e57f00 |
| SHA1 | 5ec63bc3831b99c90812b06ddac0bcbcda66649d |
| SHA256 | 0e7fcc9cc41ccc802f80245f2fd1ce232c407d11c7c3eb4c93ab78d3ac7e8cc7 |
| SHA512 | 78d1010eaca64c3a68c0e5875078efb763bbe1122a4cd8512d09e4f5d0cf2d459b12df083b4b3c34388a1e5b26b7a4cbdb3056cc1b8e17ece39685fb8d499914 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
| MD5 | 7ce9cc80d02f50991e738e8311aba0fb |
| SHA1 | a38f546528094984e9121da5e9d6cf51ced7d9ce |
| SHA256 | 9004274745ec126cee35a9761f88ca5b1a2f6d586ce59a448d42aa1732b1ac2d |
| SHA512 | cc9d060d9dd40c9e9c569ae02856492a9f9fca9a60403a4cd6dbf048f5e84d74525f6fe6658b7473c39bf6631873285f06a49f11cc50fd301cb5b27fac6468cb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0633a16a79b61a40ad156eecedcc096f |
| SHA1 | 9b3cd232df06412c5d0a65b5cc89f52563f8e220 |
| SHA256 | 89c07c5c7264854d1f514f9e74059a6123a1489ac58ff85b325bbc298534bd25 |
| SHA512 | ce0e6c85028d3ae04367c8098aa279ceaf7a81cd8535e468d575cb56017dd779bb415e6fb6ad8a21c881b9cf502ba56bd2e3c79c0dd509a1696099f6db1fbe0e |
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.2W3mLf8f.4.2.exe.part
| MD5 | c4153075ad5400296dce7bbcc1a0fc5c |
| SHA1 | 375444f6b908779645c39c23ca155445ed092e5c |
| SHA256 | 15bd89895536668eef01bda961523eb94f62038618c77235c118fd8dce9b9936 |
| SHA512 | 72e1f806a1b84221fc331df0860da34bdb8a09b2fb15ff0f7fbe26908982406a5ed5a43bca35ff4806b52f028d6cc2baa3a6fe0a0b4a273fd8d35420751b47e8 |
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe:Zone.Identifier
| MD5 | c258a8babb6ad32c04162d393e34c916 |
| SHA1 | 25c1b926287c721e5a8b18cf89c782fc59f4e3a8 |
| SHA256 | 79d37e72e6ef64a21a959104cb610976c7651ba14f3a2296fb85c5f0ddb6a129 |
| SHA512 | 6372a9958382aa0b884c0b26e9d26f7e89208c73705ef144e8852d8ab1683755719737074127093974d134f440c5fe65789f36dcbbad78ef593ab3ab45015740 |
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.2.exe
| MD5 | 446db12350e471737925dc25e82eb21c |
| SHA1 | 5082ba44dccc26f278adacaf5e8bf5d4424666aa |
| SHA256 | 48fb5c4c2a2e6ab49bb10c599d69ab614d2c69f91854e00adaf5508d9ee14f7a |
| SHA512 | 564b995e2c3a8585aa262670ab13ec744ec198bec703107c9e9f2e2a8322acd3064d485bd8f9509f6d15a491e635f3b714ae99bc0c57190ceb4c28d59d9b804a |
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\System.dll
| MD5 | 192639861e3dc2dc5c08bb8f8c7260d5 |
| SHA1 | 58d30e460609e22fa0098bc27d928b689ef9af78 |
| SHA256 | 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6 |
| SHA512 | 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc |
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\nsisFile.dll
| MD5 | b7d0d765c151d235165823b48554e442 |
| SHA1 | fe530e6c6fd60392d4ce611b21ec9daad3f1bc84 |
| SHA256 | a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587 |
| SHA512 | 5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66 |
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\nsDialogs.dll
| MD5 | b7d61f3f56abf7b7ff0d4e7da3ad783d |
| SHA1 | 15ab5219c0e77fd9652bc62ff390b8e6846c8e3e |
| SHA256 | 89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912 |
| SHA512 | 6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ee1c64a79193f9c0bf605d13602daa0a |
| SHA1 | 50f4943e822cf5859b17624904a21ae10162aec7 |
| SHA256 | 841bd4bb7a0903305316f0b2a8aa13854346b6c4261903c81ff7ace530ef51b9 |
| SHA512 | b1fce85e0d36654ef6c86289bd6bde8da0e8a699f0b5cfecdc8468210760985a273d05204da134f1d701e93e320f6bfe90478dfd4668ca29f2fd3a406c2798c5 |
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\SysRestore.dll
| MD5 | 4310bd09fc2300b106f0437b6e995330 |
| SHA1 | c6790a68e410d4a619b9b59e7540b702a98ad661 |
| SHA256 | c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e |
| SHA512 | 49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7 |
C:\Windows\System32\themeui.dll.new
| MD5 | 48359e4ea17198c341697a50bd359ea3 |
| SHA1 | b178b6b3317ec0365b10f4b493fd80fbc85c709e |
| SHA256 | a168df5b361469e957a8470d68fe2c4a1b664f519e6811b3ce7931ca7f01b669 |
| SHA512 | 24ddd3c396630ce820d599168f856575bec19c065f73535565898d2eefc63b7c0515d56a4defee693328cb4b8e830ad1640b33e5ab316d8cd98be3aebc958075 |
C:\Windows\System32\uxinit.dll.new
| MD5 | 83f209434ea9b3f4f48f0dc498dc9a7a |
| SHA1 | 49ef0f3c6d6e76e121a4cc480737677d303f5f9b |
| SHA256 | 59a124cff1d4ebd1a0043d7652ec3a241d736489626f05415f65bae3a45a13a2 |
| SHA512 | 15b58125e0803bcf1e2b0827a9544d4390c6721931b82d238f856dab07a51db11f27d64f9595bd625999863a2160934119edf5537e67799206ed248e89c438c1 |
C:\Users\Admin\AppData\Local\Temp\nsb82B.tmp\modern-wizard.bmp
| MD5 | 5f728e4e6b970db76c64be8ca3cafc87 |
| SHA1 | b7481efd9f6938903214451d792a8b13a645c922 |
| SHA256 | aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5 |
| SHA512 | 2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 8ffc93fa1b544661bc4b699d7f8489c6 |
| SHA1 | 9d56ddb6e6fca750030d91fb4ba0685706e8fc27 |
| SHA256 | eb43738c6ee10f8f90668fe4a3e2e093a6e3e94dd2b84c996b7b7b82d5e5f169 |
| SHA512 | 87b0f1ccec0276a5114f068961b5e8b466c2aacf271f207d6c166c60ff4bcad7c4a8faa716b555e7209d55577ce6e5ee3d7bb8e832614928813e8f044c4e2d6c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore.jsonlz4
| MD5 | b11f936f36df8318bc4bae0552750b78 |
| SHA1 | 48098e03c57243e32440ddc391104a973fab2c0a |
| SHA256 | d5a1564ce5974c235f55dadb277049a45adbfc88d98d7f8a76432fffce32635f |
| SHA512 | bf8a71886f14bceac8735f26f37d1f04639fa0fdbf40e0a717fb007833bfded3a56d215d4da014d8e9f586ae84e5b4996bc83a25ddc8bd17c7ea5229d358aa6e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json
| MD5 | 66bdbb6de2094027600e5df8fbbf28f4 |
| SHA1 | ce033f719ebce89ac8e5c6f0c9fed58c52eca985 |
| SHA256 | df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc |
| SHA512 | 18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs.js
| MD5 | 19d8c366a64c22eae5bbb56a9de761ed |
| SHA1 | 283f69c3a46e3af027dc74f050a2ad560982e603 |
| SHA256 | c7d5cd609410b76c424fa716a451f3813d75338f4063d7d7259cb7dd1cace4cd |
| SHA512 | 4d6b7b8934716cbd059f356ccdfaa57f55b18a8a38ae3fb993ed1c0dc0fa89e616074e3a712fffeaa1845a63fafcf0bb2fc1dd40161b4ba169be96fccc33eaa7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
| MD5 | e8ea6b5699423f5d4b7c892360ca90e2 |
| SHA1 | 5a196acf4f89d282c35aef44149f94cc375fe30c |
| SHA256 | 0a1eb70e7f55b63a9a5ca43ae771d39c6dc025d143ad868ba53b86fd23c0e62a |
| SHA512 | fe0a74f088b4fdff4453e55388b69b4f8ace158520aa7f15c21506f99a74d0282c415b6ed974f0dfae86c950675bc8b49057f9a0cd85f32b25c4527b701e71d5 |