umbral | 3f9f090495745e9e0dab12b90f3f327c4b440ed528a12bf2ad9d9e28f75492f6

Analysis

max time kernel
145s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2023, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VSMA2biL.html
Size

2KB
MD5

d4822f078c08991bc098f36191dac13d
SHA1

81d75fc6905baac0e8960fd7175b96eb37d8a601
SHA256

3f9f090495745e9e0dab12b90f3f327c4b440ed528a12bf2ad9d9e28f75492f6
SHA512

d7edab496d56c9ec7ced99f591d54aacbe30c2bb7fdf41ebe877291de0e3d318a1dabe2f72a66a5a51ccfb479ed527576ad4848984d67423f561f0b764d9cb2b

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1123698267734147092/H6VI6Ltd6c0H1neojvhDANzOgzs4lvN4697yRGsnC0bfPHO4TrnYRwot3r_kMRfc7-jX

Signatures

Detect Umbral payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0004000000023199-430.dat	family_umbral
behavioral2/files/0x0004000000023199-1151.dat	family_umbral
behavioral2/files/0x0004000000023199-1148.dat	family_umbral
behavioral2/memory/3716-1159-0x000002191CE70000-0x000002191CEB0000-memory.dmp	family_umbral
behavioral2/files/0x0004000000023199-1567.dat	family_umbral
behavioral2/files/0x0004000000023199-1570.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 3 IoCs

pid	Process
3716	Fps unlocker.exe
5192	Fps unlocker.exe
1528	Fps unlocker.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://t.ly/CLBs"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06f95c708aad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 06a06ac708aad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042056"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3422529865"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F773E0FC-15FB-11EE-85C3-5A9695CC9A3E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082e1c0dc4be3f54f8ffc5370cc661e560000000002000000000010660000000100002000000018e53dff7bf02ad09b40d297195e82b90b19998a9d2cfa82f5b5f6c8b5157430000000000e80000000020000200000008f843079cc4a2642b9cfbcf38f552db73f0c0a09ea91db4a5d2ed40f54b1bc302000000098d20c25bd8f5054a8c73c5454a405b41f8f8708e5cc18026ecfdf392db0b92c40000000426946c8d81693884b25e8aa45e5149d400f7de3be189ef1a92c5b7755bd095ee1d393c5ee6a102a2bcbc74990dac471e4c5eae19deeda456ed03724705a8bf3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31042056"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3422529865"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Fps unlocker.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	700	firefox.exe
Token: SeDebugPrivilege	700	firefox.exe
Token: 33	5320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5320	AUDIODG.EXE
Token: SeDebugPrivilege	3716	Fps unlocker.exe
Token: SeIncreaseQuotaPrivilege	3168	wmic.exe
Token: SeSecurityPrivilege	3168	wmic.exe
Token: SeTakeOwnershipPrivilege	3168	wmic.exe
Token: SeLoadDriverPrivilege	3168	wmic.exe
Token: SeSystemProfilePrivilege	3168	wmic.exe
Token: SeSystemtimePrivilege	3168	wmic.exe
Token: SeProfSingleProcessPrivilege	3168	wmic.exe
Token: SeIncBasePriorityPrivilege	3168	wmic.exe
Token: SeCreatePagefilePrivilege	3168	wmic.exe
Token: SeBackupPrivilege	3168	wmic.exe
Token: SeRestorePrivilege	3168	wmic.exe
Token: SeShutdownPrivilege	3168	wmic.exe
Token: SeDebugPrivilege	3168	wmic.exe
Token: SeSystemEnvironmentPrivilege	3168	wmic.exe
Token: SeRemoteShutdownPrivilege	3168	wmic.exe
Token: SeUndockPrivilege	3168	wmic.exe
Token: SeManageVolumePrivilege	3168	wmic.exe
Token: SeImpersonatePrivilege	3168	wmic.exe
Token: 33	3168	wmic.exe
Token: 34	3168	wmic.exe
Token: 35	3168	wmic.exe
Token: 36	3168	wmic.exe
Token: SeIncreaseQuotaPrivilege	3168	wmic.exe
Token: SeSecurityPrivilege	3168	wmic.exe
Token: SeTakeOwnershipPrivilege	3168	wmic.exe
Token: SeLoadDriverPrivilege	3168	wmic.exe
Token: SeSystemProfilePrivilege	3168	wmic.exe
Token: SeSystemtimePrivilege	3168	wmic.exe
Token: SeProfSingleProcessPrivilege	3168	wmic.exe
Token: SeIncBasePriorityPrivilege	3168	wmic.exe
Token: SeCreatePagefilePrivilege	3168	wmic.exe
Token: SeBackupPrivilege	3168	wmic.exe
Token: SeRestorePrivilege	3168	wmic.exe
Token: SeShutdownPrivilege	3168	wmic.exe
Token: SeDebugPrivilege	3168	wmic.exe
Token: SeSystemEnvironmentPrivilege	3168	wmic.exe
Token: SeRemoteShutdownPrivilege	3168	wmic.exe
Token: SeUndockPrivilege	3168	wmic.exe
Token: SeManageVolumePrivilege	3168	wmic.exe
Token: SeImpersonatePrivilege	3168	wmic.exe
Token: 33	3168	wmic.exe
Token: 34	3168	wmic.exe
Token: 35	3168	wmic.exe
Token: 36	3168	wmic.exe
Token: SeDebugPrivilege	5192	Fps unlocker.exe
Token: SeIncreaseQuotaPrivilege	5212	wmic.exe
Token: SeSecurityPrivilege	5212	wmic.exe
Token: SeTakeOwnershipPrivilege	5212	wmic.exe
Token: SeLoadDriverPrivilege	5212	wmic.exe
Token: SeSystemProfilePrivilege	5212	wmic.exe
Token: SeSystemtimePrivilege	5212	wmic.exe
Token: SeProfSingleProcessPrivilege	5212	wmic.exe
Token: SeIncBasePriorityPrivilege	5212	wmic.exe
Token: SeCreatePagefilePrivilege	5212	wmic.exe
Token: SeBackupPrivilege	5212	wmic.exe
Token: SeRestorePrivilege	5212	wmic.exe
Token: SeShutdownPrivilege	5212	wmic.exe
Token: SeDebugPrivilege	5212	wmic.exe
Token: SeSystemEnvironmentPrivilege	5212	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
948	iexplore.exe
700	firefox.exe
700	firefox.exe
700	firefox.exe
700	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
700	firefox.exe
700	firefox.exe
700	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
948	iexplore.exe
948	iexplore.exe
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
948	iexplore.exe
700	firefox.exe
700	firefox.exe
700	firefox.exe
700	firefox.exe
700	firefox.exe
700	firefox.exe
700	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2996	948	iexplore.exe	84
PID 948 wrote to memory of 2996	948	iexplore.exe	84
PID 948 wrote to memory of 2996	948	iexplore.exe	84
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 4080 wrote to memory of 700	4080	firefox.exe	95
PID 700 wrote to memory of 4992	700	firefox.exe	97
PID 700 wrote to memory of 4992	700	firefox.exe	97
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98
PID 700 wrote to memory of 4792	700	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\VSMA2biL.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.0.972051072\1912252675" -parentBuildID 20221007134813 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98f51e4b-3b8d-4a67-9022-18c8e026fa0e} 700 "\\.\pipe\gecko-crash-server-pipe.700" 1932 2407ff19b58 gpu
    3⤵
    PID:4992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.1.1567143019\398955996" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f61206c2-573f-489a-a0ba-4a8c35392e2f} 700 "\\.\pipe\gecko-crash-server-pipe.700" 2332 2400a453e58 socket
    3⤵
    - Checks processor information in registry
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.2.1882318052\747580708" -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3180 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {867632d2-36c0-4cf6-80e5-a75d65b452ed} 700 "\\.\pipe\gecko-crash-server-pipe.700" 2992 2400cd39c58 tab
    3⤵
    PID:1980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.3.1461120130\616873117" -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11e230b4-0c72-4521-ac2a-907d7fc01f42} 700 "\\.\pipe\gecko-crash-server-pipe.700" 3848 2407bf6b858 tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.4.327001704\1192466326" -childID 3 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cca0e2a-2687-4d14-b898-6d56098f7eef} 700 "\\.\pipe\gecko-crash-server-pipe.700" 3968 2400dfe5c58 tab
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.5.306014797\1702544467" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5112 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65dd998f-8e1a-4f4e-9e77-99645420f6ce} 700 "\\.\pipe\gecko-crash-server-pipe.700" 5064 2400f598e58 tab
    3⤵
    PID:3492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.8.1949166498\1557778245" -childID 7 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {563b4434-664a-4b6d-ad9e-8e6c04981582} 700 "\\.\pipe\gecko-crash-server-pipe.700" 5620 2400a519b58 tab
    3⤵
    PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.7.1261957361\1298559712" -childID 6 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14bf63bd-4b34-40a4-a241-46e27aceeae4} 700 "\\.\pipe\gecko-crash-server-pipe.700" 5428 2400a519258 tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.6.852809343\670346187" -childID 5 -isForBrowser -prefsHandle 4028 -prefMapHandle 5216 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fccda7ea-b40e-456e-9d19-b3fcc33a9852} 700 "\\.\pipe\gecko-crash-server-pipe.700" 5104 2400a518c58 tab
    3⤵
    PID:3792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="700.9.1051670384\1191060308" -childID 8 -isForBrowser -prefsHandle 4852 -prefMapHandle 4840 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2acfe28c-5555-4335-96dd-a9eb11e5e4e2} 700 "\\.\pipe\gecko-crash-server-pipe.700" 3508 240106eca58 tab
    3⤵
    PID:5196
- - C:\Users\Admin\Downloads\Fps unlocker.exe
    "C:\Users\Admin\Downloads\Fps unlocker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5952

C:\Users\Admin\Downloads\Fps unlocker.exe
"C:\Users\Admin\Downloads\Fps unlocker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5192
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5212

C:\Users\Admin\Downloads\Fps unlocker.exe
"C:\Users\Admin\Downloads\Fps unlocker.exe"
1⤵
- Executes dropped EXE
PID:1528
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fps unlocker.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7ysgaof\imagestore.dat

Filesize
6KB

MD5
c04416589bef5557160566000ec4c194

SHA1
10ee4edf149bb0139c5c338f8c0eaa717153e373

SHA256
7aebe429c7650acded6e40b501ea02fb17b9978a48f7269fa07dccd497273335

SHA512
4c81db7bb4717f0762de84d2a0f1e450acbed191ef8c7776b459b1155a360ff6542859af533f130c1c6bed7d52811f59e24d1ec19fe3735aaa61d0ba0a8da108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P2PR3BY\favicon[1].ico

Filesize
6KB

MD5
72f13fa5f987ea923a68a818d38fb540

SHA1
f014620d35787fcfdef193c20bb383f5655b9e1e

SHA256
37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

SHA512
b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P2PR3BY\qsml[2].xml

Filesize
461B

MD5
6d60f7c807295e6a0d6b84a4d9afc33f

SHA1
c298dc937e24bdc65f3eba9c25e58c1797282ea6

SHA256
1b8953d6378e7fc49498402fcaf0982661a007bc615d98c0488106dc38e95941

SHA512
deba732c96890b9df8fbd193a171701e44259e6e1877c0ddf14305da22ff1d2911f232db430faa61e17890e9b8f2f1a51d60d1d5aedf687c4472b4c9bf662d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P2PR3BY\qsml[3].xml

Filesize
489B

MD5
7eb1b9a3cf39a4120cc8a44b24a24805

SHA1
1e6142e0fb3dfede0b36032d9b734a2d76055e11

SHA256
9f61eeb7c8b9273608e923ea5fdb92c9372ebcaab19c67ae6705104dad670e82

SHA512
59fcfd6187c2420fd4598dcd77f33f24657f7bbc9f27bd88912d0a516457b69e71c5ce9c075755c694e61880377ef5289e301b9c50e6b6cad7daa02ec7513877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YMNL2J1\qsml[1].xml

Filesize
484B

MD5
36a9ce41a8cba2119daf0484937b53fd

SHA1
3709da4782b396d903e4138d0fe72b4d4c9d7578

SHA256
924e259785cb58e18d4dbef4efd8579ec3804b5301e0f8e1fd469c1cf8a24a97

SHA512
ac202e77860748f7833f62808fc9c9ccff2d171e416f511628572734b995b92a08d03ed7f6b7382922a3456e5f76ae85d4ecc4d5cdda899f2cce5b0990ab2c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YMNL2J1\qsml[2].xml

Filesize
468B

MD5
a6a9cd4df73042767660a73f584933a9

SHA1
12c97e578e58cade998d7e204f58361e5068e3a6

SHA256
727bfbad1a6a807da017d73d4a1a46527c71469faa4dd44058e251479322e7f6

SHA512
1cc6158f7c5c995b85c78a8001e3e0177aac99b45804b7db63638a9821247d319ae58711fc519ef7ddad246b208ccca2c552c33126bc8392f5fd5afd23a673e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YMNL2J1\qsml[3].xml

Filesize
492B

MD5
1a5922c3916013af01acc23b74cf35c6

SHA1
4185e09be5e7a6fa12c70b81a3790dc62169863f

SHA256
95b5b9fb2036e64bee8ff3f56c1ea937929f4b43b2dfd5fde1b77459764303fc

SHA512
20252b5af59404087881fa4d6d124d984a393e591674e37c18e14479d4dcbeadedc70344b0065ca96da9cdccaffe501e64ddb278050251ac1335929fe79175e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YMNL2J1\qsml[4].xml

Filesize
477B

MD5
306880816944d139e3b8926c3905a121

SHA1
53269e170f4260052b039bdaacfee00cda56e1ab

SHA256
05e8240abb4c5226b2fa78b2df8a4f90352f5a0717ae1b157137683b38813f15

SHA512
479cde3573c2636517caab4f524bd44c9b14a6332bc780b78a2df064afd6ae0028e9f2f129d55c79f55baa0cec2bed97202dc73d902b7706e13145914f208e3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IDCMYYRW\qsml[1].xml

Filesize
471B

MD5
3980f509699aa63e1666ce98b8d9c1a9

SHA1
6b24f5f3c208df759510810af41d63e4b84c8875

SHA256
febf08ab9ef90ed8ad231bcfebec50cfddb6a12070cca3c0129ce122a1a3eb35

SHA512
58f458473c8777ea8a8989599dbd6e26e5c618ff8eb8908468e4bdca7034da66f0c50e40a4ec33e3a301b3b44d9a8c773ec90eae4e16ef5546edc0989b0f16ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IDCMYYRW\qsml[2].xml

Filesize
481B

MD5
ac74b9b176ee81ff1e6c0e9324367ad3

SHA1
310b175a8993a6aaba81a6cf6a3509217b3b60ea

SHA256
c56769677ca18dafc0775bf3da61698fc9b0ccad70027388b677eacc611c1488

SHA512
b5633ad1ab979f4cf345d1af4d84705aaff19e12eee08e02ba43bb83d79f869ebe4866285a428aa86fc6169dc13ae17b217770541f410fba657ab6050073f275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IDCMYYRW\qsml[3].xml

Filesize
488B

MD5
c3d9856ce9e64bc7724037d6e4c41ea3

SHA1
26e6d1c8970e624b976674ab2d3bc177e7c6bbeb

SHA256
a0734f1a8b0dec32b578831a593bd1ee7c58dfc91f6e615bf74469148604826c

SHA512
6421734cd52555d127a3b53ed7cf3e812e96a8d20013f681fb52a80417c7ece3422ffc16f3e5be595326cd7253dcd5ea2bfa536f212a70ff2d7e066125990140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8M28FTI\qsml[1].xml

Filesize
475B

MD5
2cd19c114c2a156b38a3a840641d75ca

SHA1
a630d1a419eef482aa78209c51b5c39f54547ad0

SHA256
3bcce79823c1d7a1612bf094d78864737c6c14f4fbb3b27211124bb8d3c26ae9

SHA512
9dd8cb8a1a7c54ac0830310cfcd8a4ec83b4a4348bd2cb46a26b2461fbfd6cd16b15512e7323a53002b0a3ad92d76fd1ea193ac041794c6dcde6665dbc3b83ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8M28FTI\qsml[2].xml

Filesize
484B

MD5
251e4a40c00f4de67e953a49d7953cb1

SHA1
a7b5aae45b8b0db3e5af827de121f32a97bd447e

SHA256
a7338f26cf074b5465f6ad38da8a270161cd7dacef5dc4b722b608db4d7f6c68

SHA512
cde860b435e698462671483081ee73a6bc41507fb400833f41f97ffbc90c31d0bd69a8f63aa8fdb24dcd00adb158677f7556f9d09b4b972c94e17b6af4d8a41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8M28FTI\qsml[3].xml

Filesize
487B

MD5
ece47a6a02d776671d72675e499913c6

SHA1
3b05a9e5ff521e0b4fe213b734ff1f57066c0d67

SHA256
830886e81827db0885f39e1f15d3f527c51616b68abd7f0981d978df4d782aff

SHA512
4c1e14ea1c6191930f2ccaa021fd159e4cadc5c930c3d4e2a4be5fcec9e508796aa2f2fbc82b0e8892008eeab3cfcd8124f358e7dd1f6588c171fe0ac58ecc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8M28FTI\qsml[4].xml

Filesize
351B

MD5
b972a3aaa3e78d90f101e0fca5d9587d

SHA1
0eb46798e45437f4727759b6be00231a52be6adf

SHA256
365a56141083cff7b6020e5ecdd8c33e314eb87c80def1a110c8792e67d237ce

SHA512
24cec170f505458a41364b8852335297789bbdabfea302cb6487b2c8b4887486f97bfacdde680372bdfccda6cdb530c2d10e8a10487dfdbb6ca7a05e17a8d228

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
158KB

MD5
fe0763dd9dc239250f437894c5d0ad36

SHA1
4f316dfb778f4a00457f6f3dbcabb5f39a8ff9c3

SHA256
f3244766f4a8f112ba68e7e80b2a075d272adfbd978661a23dc5919374023d03

SHA512
78834c7669e86ffce25fe264d6240165e70d2b225873071cab76bd6dcbe4b5556523820d983aa5e1094dcb77d9136596db8efdcfe3548d2d6d28448fba549b31

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\cache2\doomed\9835

Filesize
9KB

MD5
77f6d32b7d4de57aeb5855ab7c50adc8

SHA1
ba1593b23f354957e2a9b94f7345011a7d64180b

SHA256
cba0846fc4f11fcdfccd271567a8ca5af3b0b73cd2179d529ca4569452feeac7

SHA512
9f45b9673fd267a247be0a573c14ebd5a48958d5ace9ff911b92a15fbf12f73516ef2bfece46d9ab249e178d2c983116416a307ba958e3c2ba7dcc8cfff49395

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0

Filesize
14KB

MD5
4c376c2c7e5f714822ac804d09ceff57

SHA1
52f7ad072a3a72a3ff9547ab133351034212d2fb

SHA256
a0bed0deb37acfc68027c9f96e487fd69324dfbccd0e6462f123b00090d41f63

SHA512
de4d83c7bee2a87c11a60bcaced64ffe8c560675bc9c72bc8cabe166d88b84c367d937e4c8032db72882ea391a79d15b750651ab6cbfbc1fae13ce8a29612fb4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\thumbnails\ab9a1a1bd14c4e0204c05f2c96000479.png

Filesize
4KB

MD5
1fb7abf0b8e4b546c560124b13490630

SHA1
e4b041082d5acde2e9843d5a2e30f7f3ef149008

SHA256
7b4121a4449e56a79f3f9c42978adf5902db4ebd2069fd18360398da879a7936

SHA512
8d0a54468508aa1f998e1e01ad8d6c270f9e157c52ed30f7eef8f8baba323eea24b62d3d889fd67cf82cec66f4be5d601423170716d2c739be8f8a4b2a719110

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF043D8E69C3C7E990.TMP

Filesize
16KB

MD5
9b0ae1fabf561e4ffff2529925c64cf3

SHA1
cb7b4f398a8a841fd9531347b9eaf15e20e10fe5

SHA256
40621f77214ff4bc681852160e8825ff67179c88e71158d6378ae81b96d7b08c

SHA512
dc02ced3bc5d70ccfc99d4fe267daa267ee06f54a7347a5f1fac0d5fc1d3e422e43f087c6bd75ec514cd4ad20883869ee7debdd6146e33cb363213c7b32e8d52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs-1.js

Filesize
8KB

MD5
db88c617c4d3b55d79d4518b94ecb6d1

SHA1
0a0bf68b549aaedd6e7c7c7eda27d6368d166a4f

SHA256
049e8bec9eb732443b38300bad9039d1d2cf2db3531ec8a7b901415a6d4d7e73

SHA512
1ec7d09417b6b624d5c0ce205975480800c4b211de244345ad4f5a8af46ce5b8f89d28da2dc72cf4ac960b7dae06e5afc3be89b4e18a310bfe52165fa8ba7834

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs-1.js

Filesize
6KB

MD5
02920721d9c8e170afd15489be9371b4

SHA1
0b675931a44f81c448a25867f851e7c62d534d97

SHA256
235f3c578c529be0e342906a86e4715ab1274f5b345e130dd49e1b34337e6364

SHA512
8b39b5cecf5bb62731d5cf4318144bcabc45d10f64413e4548f259c1a43c8e45e625177a457fb003e73f348449db4ec73e73e32d7fa164d513dfe8e381b56b13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs-1.js

Filesize
10KB

MD5
5b3e2194099c6dcf8c5fa7d1a77034b2

SHA1
6f6878d610d9a86b6989a218aadac7f9af5e331d

SHA256
35f9f8378a03e35d3949cdb3ddaab39e6996ab1a62629118e7d7c8aa52e56877

SHA512
f4277f1ee6d6d391d743aaee7e2eac9c0eb16e795cba349a08439ef0c15182692f4d3af496bd6a39b47054143f9a0b1cdc1222401efe70cd7bc7c5aba7a441f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs.js

Filesize
6KB

MD5
f120c9ccd050714a4e2cc1d038a53976

SHA1
200d6464728da6894f611a591751f5db9c940414

SHA256
f831c9f2d5c25843500d5f3bfff09445ec87936bf657f959b68329a7e3da7dc0

SHA512
add66474817c93b07896e74e303c57856621c6ecbb2b39e504dc65523d8d69cfb4bc9c5ff8e9b62d18129fb95fb2ad9acdd697b9e211e641b5420794e15b084c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\prefs.js

Filesize
6KB

MD5
d56a7e6f5d8a989dc0f497f7b1a2aa4c

SHA1
662a310dc62df6b7ddcf4a78da60022ad5949db5

SHA256
f3af7789b9c71706ef6bf266ca2456c94bed260443f96ef23a4a4e978bc335af

SHA512
ddaec7d92d8e7df24977756d7c0fc43c1f2f1ba946d6c1aa59f665585b54dbbadf219bb35c1a3679565e3ee442d216e42d00751233fce22af04c1567ca45cf51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
23119b161afb4a284eb10f839f8e4e49

SHA1
45ab1c1b3b2597230faf4206841d2f5c74b1fc69

SHA256
a3ddd2389db3e979d452f3715c8a6a111f74824e8ffaa0b1724dcdc9f98b40a5

SHA512
132e6c1c79a392e9382a65d827d595c2a5056b5d5694e1390de08bfd6c1849088db4baf44b31c270b04a95c76a5319c6e6f44e88112187665b6f23f68ba42c52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
dbe5fcba39f65355103ded7bb9e02726

SHA1
7b6c3700b720e1de9002010acb5782fa7fc34a30

SHA256
b808622af610f625e8f8c9bfb9c8396dc24502cebea603ff6ffb27e40dd15d59

SHA512
177ac29cb1b1c65ee9619211cf1b80e1abc36d7d2cf6854965ee5ee05e294306f471d25dc7bf9a54f72e11228009b016d7dea11a30edeff9af033f445d66843b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
4d38310facce643df2a6160c1fdbe859

SHA1
c7050a07563b99babf4de3916d12f5e36458f7cc

SHA256
6d488f5135652afaa715bf327e2253564930c44edf0728cdb1ad3f2e1805041d

SHA512
ad7446fa6f9baa21f3934d539719a7a91960dc869388f88a0927f1e71cfc7e84c8798843b955a845d4f98f5b478ba53cf0a53e6996bb5178c249850dc169ac4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\storage\default\https+++mega.nz\cache\morgue\248\{b1ce2e4c-0cc1-4494-a11d-06fe9ddcfcf8}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g6h1qcgn.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
f1d2f5f2e5d65cf9481a5d5dcee014b4

SHA1
86db9e4f00bbc2a392cc778229afe9116cfcb291

SHA256
09591686324f14d132e6a1a80ad6b7d1fd1b6fd2e98bf754a7e11367836457da

SHA512
6db6fd9f0cbdb40ff025936bd4bde29b534027b466007a10458d963c0398c4d363ea6ec2cf79589c6d69072d8000e18ff868777efb35f8fa6ca261b5afb00962

Download Submit
C:\Users\Admin\Downloads\Fps unlocker.exe

Filesize
231KB

MD5
8e0d0543f4eb1e8e5d14a0ee3a7ac228

SHA1
adfede75871a2196e79856335aca757ccaa3c1f0

SHA256
5e9142e06299d70195c1d5876ee384995822943ea8747fc725830a7c7cac85d7

SHA512
150aa1b2d7807e5b8283fa726015036862ee84ddcdc3b870a18da9d3f94ea7356ef2f62c0c21c1c6137a33ffa55ca52713558f08bcaeb4dca1dd63e6c8163d02

Download Submit
C:\Users\Admin\Downloads\Fps unlocker.exe

Filesize
231KB

MD5
8e0d0543f4eb1e8e5d14a0ee3a7ac228

SHA1
adfede75871a2196e79856335aca757ccaa3c1f0

SHA256
5e9142e06299d70195c1d5876ee384995822943ea8747fc725830a7c7cac85d7

SHA512
150aa1b2d7807e5b8283fa726015036862ee84ddcdc3b870a18da9d3f94ea7356ef2f62c0c21c1c6137a33ffa55ca52713558f08bcaeb4dca1dd63e6c8163d02

Download Submit
C:\Users\Admin\Downloads\Fps unlocker.exe

Filesize
231KB

MD5
8e0d0543f4eb1e8e5d14a0ee3a7ac228

SHA1
adfede75871a2196e79856335aca757ccaa3c1f0

SHA256
5e9142e06299d70195c1d5876ee384995822943ea8747fc725830a7c7cac85d7

SHA512
150aa1b2d7807e5b8283fa726015036862ee84ddcdc3b870a18da9d3f94ea7356ef2f62c0c21c1c6137a33ffa55ca52713558f08bcaeb4dca1dd63e6c8163d02

Download Submit
C:\Users\Admin\Downloads\Fps unlocker.exe

Filesize
231KB

MD5
8e0d0543f4eb1e8e5d14a0ee3a7ac228

SHA1
adfede75871a2196e79856335aca757ccaa3c1f0

SHA256
5e9142e06299d70195c1d5876ee384995822943ea8747fc725830a7c7cac85d7

SHA512
150aa1b2d7807e5b8283fa726015036862ee84ddcdc3b870a18da9d3f94ea7356ef2f62c0c21c1c6137a33ffa55ca52713558f08bcaeb4dca1dd63e6c8163d02

Download Submit
C:\Users\Admin\Downloads\Fps unlocker.exe

Filesize
231KB

MD5
8e0d0543f4eb1e8e5d14a0ee3a7ac228

SHA1
adfede75871a2196e79856335aca757ccaa3c1f0

SHA256
5e9142e06299d70195c1d5876ee384995822943ea8747fc725830a7c7cac85d7

SHA512
150aa1b2d7807e5b8283fa726015036862ee84ddcdc3b870a18da9d3f94ea7356ef2f62c0c21c1c6137a33ffa55ca52713558f08bcaeb4dca1dd63e6c8163d02

Download Submit
memory/3716-1159-0x000002191CE70000-0x000002191CEB0000-memory.dmp

Filesize
256KB

Download
memory/3716-1220-0x000002191ECD0000-0x000002191ECE0000-memory.dmp

Filesize
64KB

Download
memory/5192-1569-0x0000020049610000-0x0000020049620000-memory.dmp

Filesize
64KB

Download