umbral | d57da5841f0117edb2cd41d92c03de6385bbe69563abbcd902b8e09a111824e8

Resubmissions

16/11/2023, 14:41

231116-r2taxacd86 10

Analysis

max time kernel
154s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chad Manager (QUEST).exe
Size

362KB
MD5

cca5bab38fe75d3683b7355f1084007a
SHA1

c2f0c7ffd1cf73c0f2f4a6c881150e1cb78288c0
SHA256

d57da5841f0117edb2cd41d92c03de6385bbe69563abbcd902b8e09a111824e8
SHA512

afe550e0007e76483c84cf3d9c0341240f45d715bbb192fa04aa0ab55e7baf8cb2a0332267869a123c846cd1389ed060dfaec7ea8d40b6110f234965436b7fd9
SSDEEP

6144:PcyHIGadsUS0O3ulKjb8eNHOJZCDv4zMYAU:Pc+IG9/jR

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/3660-0-0x000001EB88C20000-0x000001EB88C80000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2528	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	Process not Found
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	Chad Manager (QUEST).exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeIncreaseQuotaPrivilege	2240	wmic.exe
Token: SeSecurityPrivilege	2240	wmic.exe
Token: SeTakeOwnershipPrivilege	2240	wmic.exe
Token: SeLoadDriverPrivilege	2240	wmic.exe
Token: SeSystemProfilePrivilege	2240	wmic.exe
Token: SeSystemtimePrivilege	2240	wmic.exe
Token: SeProfSingleProcessPrivilege	2240	wmic.exe
Token: SeIncBasePriorityPrivilege	2240	wmic.exe
Token: SeCreatePagefilePrivilege	2240	wmic.exe
Token: SeBackupPrivilege	2240	wmic.exe
Token: SeRestorePrivilege	2240	wmic.exe
Token: SeShutdownPrivilege	2240	wmic.exe
Token: SeDebugPrivilege	2240	wmic.exe
Token: SeSystemEnvironmentPrivilege	2240	wmic.exe
Token: SeRemoteShutdownPrivilege	2240	wmic.exe
Token: SeUndockPrivilege	2240	wmic.exe
Token: SeManageVolumePrivilege	2240	wmic.exe
Token: 33	2240	wmic.exe
Token: 34	2240	wmic.exe
Token: 35	2240	wmic.exe
Token: 36	2240	wmic.exe
Token: SeIncreaseQuotaPrivilege	2240	wmic.exe
Token: SeSecurityPrivilege	2240	wmic.exe
Token: SeTakeOwnershipPrivilege	2240	wmic.exe
Token: SeLoadDriverPrivilege	2240	wmic.exe
Token: SeSystemProfilePrivilege	2240	wmic.exe
Token: SeSystemtimePrivilege	2240	wmic.exe
Token: SeProfSingleProcessPrivilege	2240	wmic.exe
Token: SeIncBasePriorityPrivilege	2240	wmic.exe
Token: SeCreatePagefilePrivilege	2240	wmic.exe
Token: SeBackupPrivilege	2240	wmic.exe
Token: SeRestorePrivilege	2240	wmic.exe
Token: SeShutdownPrivilege	2240	wmic.exe
Token: SeDebugPrivilege	2240	wmic.exe
Token: SeSystemEnvironmentPrivilege	2240	wmic.exe
Token: SeRemoteShutdownPrivilege	2240	wmic.exe
Token: SeUndockPrivilege	2240	wmic.exe
Token: SeManageVolumePrivilege	2240	wmic.exe
Token: 33	2240	wmic.exe
Token: 34	2240	wmic.exe
Token: 35	2240	wmic.exe
Token: 36	2240	wmic.exe
Token: SeIncreaseQuotaPrivilege	936	wmic.exe
Token: SeSecurityPrivilege	936	wmic.exe
Token: SeTakeOwnershipPrivilege	936	wmic.exe
Token: SeLoadDriverPrivilege	936	wmic.exe
Token: SeSystemProfilePrivilege	936	wmic.exe
Token: SeSystemtimePrivilege	936	wmic.exe
Token: SeProfSingleProcessPrivilege	936	wmic.exe
Token: SeIncBasePriorityPrivilege	936	wmic.exe
Token: SeCreatePagefilePrivilege	936	wmic.exe
Token: SeBackupPrivilege	936	wmic.exe
Token: SeRestorePrivilege	936	wmic.exe
Token: SeShutdownPrivilege	936	wmic.exe
Token: SeDebugPrivilege	936	wmic.exe
Token: SeSystemEnvironmentPrivilege	936	wmic.exe
Token: SeRemoteShutdownPrivilege	936	wmic.exe
Token: SeUndockPrivilege	936	wmic.exe
Token: SeManageVolumePrivilege	936	wmic.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1788	firefox.exe
1788	firefox.exe
1788	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1788	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1756	3660	Chad Manager (QUEST).exe	92
PID 3660 wrote to memory of 1756	3660	Chad Manager (QUEST).exe	92
PID 3660 wrote to memory of 4700	3660	Chad Manager (QUEST).exe	95
PID 3660 wrote to memory of 4700	3660	Chad Manager (QUEST).exe	95
PID 3660 wrote to memory of 3600	3660	Chad Manager (QUEST).exe	98
PID 3660 wrote to memory of 3600	3660	Chad Manager (QUEST).exe	98
PID 3660 wrote to memory of 2148	3660	Chad Manager (QUEST).exe	99
PID 3660 wrote to memory of 2148	3660	Chad Manager (QUEST).exe	99
PID 3660 wrote to memory of 2240	3660	Chad Manager (QUEST).exe	102
PID 3660 wrote to memory of 2240	3660	Chad Manager (QUEST).exe	102
PID 3660 wrote to memory of 936	3660	Chad Manager (QUEST).exe	106
PID 3660 wrote to memory of 936	3660	Chad Manager (QUEST).exe	106
PID 3660 wrote to memory of 2988	3660	Chad Manager (QUEST).exe	108
PID 3660 wrote to memory of 2988	3660	Chad Manager (QUEST).exe	108
PID 3660 wrote to memory of 688	3660	Chad Manager (QUEST).exe	112
PID 3660 wrote to memory of 688	3660	Chad Manager (QUEST).exe	112
PID 3660 wrote to memory of 2528	3660	Chad Manager (QUEST).exe	113
PID 3660 wrote to memory of 2528	3660	Chad Manager (QUEST).exe	113
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 952 wrote to memory of 1788	952	firefox.exe	131
PID 1788 wrote to memory of 692	1788	firefox.exe	132
PID 1788 wrote to memory of 692	1788	firefox.exe	132
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133
PID 1788 wrote to memory of 3068	1788	firefox.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe
"C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chad Manager (QUEST).exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.0.949836820\615411944" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79b3a245-a98d-460b-8383-322c588c76e4} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 1848 1df052e7758 gpu
    3⤵
    PID:692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.1.899958553\2054731677" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6705a46-20d7-4220-b9bf-2542cef86d4a} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 2380 1df0520ba58 socket
    3⤵
    PID:3068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.2.108238712\761756756" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed90c79-87e0-423c-9d91-cdaef33107ca} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 3020 1df094af958 tab
    3⤵
    PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.3.1960526725\825180378" -childID 2 -isForBrowser -prefsHandle 1328 -prefMapHandle 1324 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5dfeb2e-a135-4dea-aa33-d886b49bcf86} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 2712 1df07ce0e58 tab
    3⤵
    PID:4380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.4.1952288116\747886228" -childID 3 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c14ca384-ee08-4fd3-8057-43ca1bd39950} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 3756 1df07e85b58 tab
    3⤵
    PID:2368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.7.1132847867\1865472999" -childID 6 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e332107-18c7-4734-bb44-6d99446ff352} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5420 1df0b7eb358 tab
    3⤵
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.6.1523941693\944289078" -childID 5 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb136331-fd05-4d8c-90c0-49cb8964b8b1} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5180 1df0b7ea158 tab
    3⤵
    PID:2928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1788.5.81357428\865242096" -childID 4 -isForBrowser -prefsHandle 5096 -prefMapHandle 5080 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0c4b860-41e7-4d64-a977-b3e41461aea3} 1788 "\\.\pipe\gecko-crash-server-pipe.1788" 5104 1df09430d58 tab
    3⤵
    PID:2212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2300
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:456
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f995e50613f828ddc321e8d37fdb01a

SHA1
b0883951336ac0719c4927eb03d2577b8475931a

SHA256
7360aa4436f23a39cb14e9cc053c85a4f35e4258c0b9b7b6c89c7e996c3f7f32

SHA512
39f75d156e6e4c0cdc7f15afc38983b4139ed0b033433b3271cca639722a7dbb87a455c36c077f34153c7128e2851e93a9c2ce2f3af03874d390a6cee607491d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0e046a2ca47c01116ab2c42b4553232c

SHA1
750650547f305d5cd7f832341f6a17618aa98800

SHA256
d063753bbc9924e4bf9306167893909c3898072109e13b479ccdac493a8f3a2d

SHA512
dc1c95dbb27fb1fcc577a841abad5a2ca16445b1c51640853f497df8fca260ae5d5fee2d402b18c61a263a6af5a5b71661fb880234bd8de3e6636887f03ae0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
62402db70e588065dad628041e8df19d

SHA1
3e4070fb47abe496f74fb2b65a37463ccdc20339

SHA256
5028966d2f2c8d5ce6a84d1eb6b0d8487b1b07d9cbee06e71e9d6b1abcabfd31

SHA512
b87d9c3f89af660a20654c870e593e1de416b4ee0fc2d5b2e4f2fa35c463e89920a1a50ca737f02b6eae813b418af49d7c7c1b8a64c1b97c8bb7f6cbe3f24a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vti25erf.ntz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs.js

Filesize
6KB

MD5
b3cba0a654c5e568b39c86ab891d0bc2

SHA1
bf2abb80435b9c574cb0559eaa1f147631828fec

SHA256
95e575782062b521c29a1df7f03961118fcb7348e5872f458680ef1eaf65b411

SHA512
4341938d6b4f0c145ea56557bc21b1e20e91c3d690f21131ca236453fbb6e895da4140bea607052b0d8cdd193e342301ffdc58db849c8de10c1ec9d9ec74f0de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8370e84d3959344d9998f5753c024f65

SHA1
8710569fb014a05d380682996a947cc6034fc821

SHA256
f03115f7112583de26ae554f4b25fd43704a1c22ea346fe7a4fc5a9eb5cba4f9

SHA512
d5cded9a07d9698a8515dbaca522d0aa7150f6325b268a4ad7a3b2e90fb717f3b612f1bea759429a1ea4b00a0520b890a34292b90286ff613f782bce93654120

Download Submit
memory/688-101-0x000002406B930000-0x000002406B940000-memory.dmp

Filesize
64KB

Download
memory/688-98-0x000002406B930000-0x000002406B940000-memory.dmp

Filesize
64KB

Download
memory/688-103-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/688-88-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/688-99-0x000002406B930000-0x000002406B940000-memory.dmp

Filesize
64KB

Download
memory/1756-3-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-14-0x000002DABEB70000-0x000002DABEB92000-memory.dmp

Filesize
136KB

Download
memory/1756-4-0x000002DABEC00000-0x000002DABEC10000-memory.dmp

Filesize
64KB

Download
memory/1756-20-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-17-0x000002DABEC00000-0x000002DABEC10000-memory.dmp

Filesize
64KB

Download
memory/1756-16-0x000002DABEC00000-0x000002DABEC10000-memory.dmp

Filesize
64KB

Download
memory/1756-15-0x000002DABEC00000-0x000002DABEC10000-memory.dmp

Filesize
64KB

Download
memory/2148-60-0x000001E6AD030000-0x000001E6AD040000-memory.dmp

Filesize
64KB

Download
memory/2148-84-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2148-59-0x000001E6AD030000-0x000001E6AD040000-memory.dmp

Filesize
64KB

Download
memory/2148-58-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2300-189-0x000001DC58B30000-0x000001DC58B38000-memory.dmp

Filesize
32KB

Download
memory/2300-193-0x000001DC5A190000-0x000001DC5A198000-memory.dmp

Filesize
32KB

Download
memory/2300-173-0x000001DC54640000-0x000001DC54650000-memory.dmp

Filesize
64KB

Download
memory/3600-44-0x0000024ECBD40000-0x0000024ECBD50000-memory.dmp

Filesize
64KB

Download
memory/3600-42-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-57-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-40-0x000001EBA33C0000-0x000001EBA3436000-memory.dmp

Filesize
472KB

Download
memory/3660-2-0x000001EBA32B0000-0x000001EBA32C0000-memory.dmp

Filesize
64KB

Download
memory/3660-86-0x000001EB8A960000-0x000001EB8A972000-memory.dmp

Filesize
72KB

Download
memory/3660-0-0x000001EB88C20000-0x000001EB88C80000-memory.dmp

Filesize
384KB

Download
memory/3660-43-0x000001EBA32B0000-0x000001EBA32C0000-memory.dmp

Filesize
64KB

Download
memory/3660-41-0x000001EB8A8F0000-0x000001EB8A940000-memory.dmp

Filesize
320KB

Download
memory/3660-54-0x000001EB8A8C0000-0x000001EB8A8DE000-memory.dmp

Filesize
120KB

Download
memory/3660-85-0x000001EB8A8E0000-0x000001EB8A8EA000-memory.dmp

Filesize
40KB

Download
memory/3660-35-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-107-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-1-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-38-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-32-0x000001A465A90000-0x000001A465AA0000-memory.dmp

Filesize
64KB

Download
memory/4700-27-0x00007FFEBBBE0000-0x00007FFEBC6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-33-0x000001A465A90000-0x000001A465AA0000-memory.dmp

Filesize
64KB

Download
memory/4700-36-0x000001A465A90000-0x000001A465AA0000-memory.dmp

Filesize
64KB

Download