Analysis
-
max time kernel
332s -
max time network
337s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 12:52
Behavioral task
behavioral1
Sample
Umbral.Stealer.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Umbral.Stealer.zip
Resource
win10v2004-20240319-en
General
-
Target
Umbral.Stealer.zip
-
Size
3.3MB
-
MD5
f355889db3ff6bae624f80f41a52e619
-
SHA1
47f7916272a81d313e70808270c3c351207b890f
-
SHA256
8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0
-
SHA512
bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb
-
SSDEEP
98304:XINn7mVoLvbDU48xzliDSjtYV2jg0tsGTplmOhl88uF:mjLvvD8BcSjtAB0zplNl8Z
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 8 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/6568-470-0x000002C569480000-0x000002C5694A0000-memory.dmp agile_net behavioral2/memory/6568-473-0x000002C5694A0000-0x000002C5694C0000-memory.dmp agile_net behavioral2/memory/6568-474-0x000002C56B650000-0x000002C56B6BE000-memory.dmp agile_net behavioral2/memory/6568-475-0x000002C5694C0000-0x000002C5694CE000-memory.dmp agile_net behavioral2/memory/6568-477-0x000002C5694E0000-0x000002C5694F0000-memory.dmp agile_net behavioral2/memory/6568-476-0x000002C56B6D0000-0x000002C56B72A000-memory.dmp agile_net behavioral2/memory/6568-478-0x000002C569510000-0x000002C56952E000-memory.dmp agile_net behavioral2/memory/6568-479-0x000002C56B880000-0x000002C56B9CA000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 219 camo.githubusercontent.com 220 camo.githubusercontent.com 281 pastebin.com 282 pastebin.com 283 pastebin.com 285 pastebin.com 217 camo.githubusercontent.com 218 camo.githubusercontent.com -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 44 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Umbral.builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Umbral.builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Umbral.builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Umbral.builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Umbral.builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Umbral.builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Umbral.builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Umbral.builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Umbral.builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Umbral.builder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Umbral.builder.exe Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Umbral.builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Umbral.builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Umbral.builder.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Umbral.Stealer.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3168 firefox.exe Token: SeDebugPrivilege 3168 firefox.exe Token: SeDebugPrivilege 3168 firefox.exe Token: SeDebugPrivilege 6568 Umbral.builder.exe Token: SeManageVolumePrivilege 6220 svchost.exe Token: SeDebugPrivilege 3168 firefox.exe Token: SeDebugPrivilege 3168 firefox.exe Token: SeDebugPrivilege 3168 firefox.exe Token: SeDebugPrivilege 3168 firefox.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 6568 Umbral.builder.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 3168 firefox.exe 6568 Umbral.builder.exe 6568 Umbral.builder.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3972 wrote to memory of 3168 3972 firefox.exe 112 PID 3168 wrote to memory of 5224 3168 firefox.exe 113 PID 3168 wrote to memory of 5224 3168 firefox.exe 113 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5292 3168 firefox.exe 114 PID 3168 wrote to memory of 5640 3168 firefox.exe 115 PID 3168 wrote to memory of 5640 3168 firefox.exe 115 PID 3168 wrote to memory of 5640 3168 firefox.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Umbral.Stealer.zip1⤵PID:3972
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2564
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.0.1546509343\723786533" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf0c6aec-22c2-4ee4-8298-4b7cb2ced841} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 1996 13ff54e6d58 gpu3⤵PID:5224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.1.811002230\1496063396" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4e421bd-8eb3-44ae-b677-4e354062b89b} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 2396 13fe1672b58 socket3⤵PID:5292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.2.605344162\824915772" -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2944 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed5c98ec-075f-4d55-98c6-e6c45c5d31a3} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 3164 13ff5460458 tab3⤵PID:5640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.3.1179260328\355863821" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3592 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab4ee698-0262-4209-b2eb-cfb9aed2d6fe} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 3444 13ff7c4fa58 tab3⤵PID:5748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.4.376595323\1128883284" -childID 3 -isForBrowser -prefsHandle 4440 -prefMapHandle 4432 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {896b5a61-b7e4-43ec-83fb-5b9102cd9714} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 4452 13ffa9d6958 tab3⤵PID:5860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.5.1960063390\1904344257" -childID 4 -isForBrowser -prefsHandle 4960 -prefMapHandle 4972 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db011fa9-807c-45ba-8bf0-e27fb645250e} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 4892 13fe162d858 tab3⤵PID:5992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.6.963219844\361988441" -childID 5 -isForBrowser -prefsHandle 5232 -prefMapHandle 5228 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b133f02c-3c2c-4ffe-b216-ce9ef886f4cd} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5248 13ffbee1058 tab3⤵PID:5900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.7.560379589\1768877740" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62f8a804-a60e-475c-9447-70a171db2858} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5468 13ffb639058 tab3⤵PID:5960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.8.1448981896\1774427573" -childID 7 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80826873-cd7a-4134-843c-6b9c3b8aab8b} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5716 13ffd357258 tab3⤵PID:6536
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.9.11953706\398521547" -childID 8 -isForBrowser -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3ddc9e7-360f-4294-8986-9086c3fca46f} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5080 13ffd973558 tab3⤵PID:1556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.10.162348419\2022383264" -childID 9 -isForBrowser -prefsHandle 4880 -prefMapHandle 2836 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e621ff-c94b-4204-8646-7242a8156e01} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 4748 13ffd870d58 tab3⤵PID:644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.11.1933881068\1032758767" -childID 10 -isForBrowser -prefsHandle 4828 -prefMapHandle 8688 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba18fdd8-59a0-4727-8c0f-cbd667c488b4} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 5700 13fff0c3258 tab3⤵PID:6192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.12.720410963\1084023152" -childID 11 -isForBrowser -prefsHandle 8640 -prefMapHandle 8644 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7dbf916-8439-4ae7-b1bc-b64d948351c8} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 8660 13ffe382f58 tab3⤵PID:1476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.13.1951778917\1824254210" -childID 12 -isForBrowser -prefsHandle 8664 -prefMapHandle 10556 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747a6c3b-0773-4881-b1af-999adbe855fb} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 10488 13ffd35ab58 tab3⤵PID:2100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.14.408004718\648613533" -childID 13 -isForBrowser -prefsHandle 8116 -prefMapHandle 8176 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d869af2d-d9cf-4bda-8214-e188db7c05ed} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 8060 13fff0c4758 tab3⤵PID:3344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.15.1923010121\2097245087" -childID 14 -isForBrowser -prefsHandle 10252 -prefMapHandle 10256 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {405f1fdc-d077-4356-bab2-d1127cbf8df9} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 7932 13fff22de58 tab3⤵PID:2524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.16.1054679975\441330876" -childID 15 -isForBrowser -prefsHandle 10096 -prefMapHandle 10228 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {434d9bd0-30ab-4ddd-b7dc-ea0676b70bb8} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 10368 13fff22c658 tab3⤵PID:2632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.17.1347025268\1403218175" -childID 16 -isForBrowser -prefsHandle 7872 -prefMapHandle 7868 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {391c8df7-c6d8-4a39-b829-9f3c24cd7ce6} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 8076 13fff326a58 tab3⤵PID:6836
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.18.1935884810\1700379263" -childID 17 -isForBrowser -prefsHandle 10056 -prefMapHandle 4612 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {548a93ff-e233-4c34-832d-671bfbc87f13} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 8696 13ffeea1d58 tab3⤵PID:4060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.19.1747853569\1729719176" -childID 18 -isForBrowser -prefsHandle 7564 -prefMapHandle 7560 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc4acd44-4f78-4e62-85cf-fc26466978f7} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 7572 13fffc0cb58 tab3⤵PID:2372
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.20.142862008\1850233790" -parentBuildID 20221007134813 -prefsHandle 7504 -prefMapHandle 7492 -prefsLen 26774 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9acb2066-1394-4dbc-a5e9-1ebbbd66415f} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 9804 13fffe65258 rdd3⤵PID:4968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.21.538362903\1659892678" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 7516 -prefMapHandle 7512 -prefsLen 26774 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f3990fa-520b-414a-981d-6a7a10d2256e} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 9820 13fffe65558 utility3⤵PID:3624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.22.1997188342\573238736" -childID 19 -isForBrowser -prefsHandle 9332 -prefMapHandle 9336 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12c503ed-7d5f-4d64-b919-af100e9f964a} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 9324 140006ac858 tab3⤵PID:6524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.23.132623929\1661549664" -childID 20 -isForBrowser -prefsHandle 9208 -prefMapHandle 9204 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb2dd93-3855-49e9-ab7a-b37890d0aad4} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 9220 140006ad158 tab3⤵PID:6600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.24.1645191612\923559804" -childID 21 -isForBrowser -prefsHandle 9000 -prefMapHandle 8996 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cada157-4f76-49a7-979c-b8edc8fd94ed} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 9008 140006ad458 tab3⤵PID:2392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.25.645184434\1482162118" -childID 22 -isForBrowser -prefsHandle 7568 -prefMapHandle 7552 -prefsLen 26783 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f654566-10bb-458d-9bf8-bb57a415a5f9} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 9684 14000c71258 tab3⤵PID:8112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3168.26.1022865544\1014591524" -childID 23 -isForBrowser -prefsHandle 9908 -prefMapHandle 7628 -prefsLen 26783 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aeaa49f-8341-47ee-a6e5-99cfd2ad2af8} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" 9896 13fffd6f758 tab3⤵PID:7468
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:81⤵PID:6372
-
C:\Users\Admin\Downloads\Umbral.Stealer\Umbral.builder.exe"C:\Users\Admin\Downloads\Umbral.Stealer\Umbral.builder.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6568
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4360
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b760ca1e009c8d440a80fdbbba3fb669
SHA1892c3d3f80708cc48bef83d397e52ed61a85b356
SHA256db2e4c37e50db4cc66a394db513f8fffb7cbbc74d2e71d94501af0dfd6bb05ae
SHA5121ae127b28429d668e7929baa8c9b9d150f855461214f820561f6d82f565cf44715cf66a22ccde617f2123140b4db43fb2c42083945a0a2470ff16762fe3f8a27
-
Filesize
8KB
MD5c3ca74342f6e15a54c4ade8c3c1aeab9
SHA1dc573b860e1c8450ec7331f52bf567b89e91f67e
SHA2566d5bac9448b2ca5c19340fcd5dff0b07b734ead6864192d5beb09eb4d983d23c
SHA51290411845776488e7022b5933a2e14cb97285ae7650ca4ac7016a17facd2705f022bb7ed029fb9655236a9bded3983b65b08bceb644cced3bd3055895f0e663ea
-
Filesize
8KB
MD5d8a3158e5f4370622a9cc10cb393abfe
SHA1811b1ae55a49f458bd4251dd6f94092bf6b7870a
SHA256849af5f6e7def539e15f0030b0e69b1d5a3060c80bacc43cccb7ece55c44efe6
SHA512c53f6b7b6fb3705c48a7327c3342a805ac8ab16a551d46e6e787752f56dc9a155e4d24cfc17ded5640502609a418cb220fb2281c7484030d7d96ef1f8c9d3a47
-
Filesize
10KB
MD51d937a9d4b4ea0abfd530a1670249ae1
SHA15b67a95426524a10d705d1eea5fefbdc19b155c9
SHA2568355e7a699508e225a9b7caa71e4b7b8b526ca758c84a32f0c062674c3093638
SHA51217cd8165e6524402560e56aa6a03adc61a84aac6bd6c9aca2d517cfeaeafccee0605f93193edf0260476c56ca47056a5d2d27a2ce5ff73ab914437622b6c86ac
-
Filesize
7KB
MD5cc912f58219536b7042218886f27f7e9
SHA1ec16f359b52784fd5081b99b10f1aa459477ab39
SHA25610e1d9dce1e147af99428764225e06764b17421009de1fdde770be8b5e43b241
SHA512da726690a426581fa8a87850744ef1f747ebf4b7b57b8cb63c97d8a62f24c790cc79bde948e67632d94535c7ca6be62bf119a250052f53fc7caaa39699853bff
-
Filesize
7KB
MD5c80eeb949c32162f407666e9d37f09af
SHA1eac72b449decf2435ed7242086f51637a2e7257b
SHA256f9d6fe64552285ff29419f23f280a4d78f6322fd666ae4e44d922483a6608955
SHA51229dc6db96d8cd7f2020796e477919f6291955872b03a396b139fea4b3fe76a93797b3eeaa300ef76700a4e7c58c35a67a8f6d594c6a52365e5565901b561da4b
-
Filesize
15KB
MD52202dcb57cf6c1d52afb948163bbbca8
SHA1d2a4856252a685cb2b8acf19e55e1cd2ba18821f
SHA25609d0eaa8676b8837b4815eea4431265d6bb9a93c2e0c0fd3c002ec12d730c77d
SHA5127bb6b9c0899cf814af7dfb473ad50d12f4b708e1cba8d8c0ee63140c535496b14155ccd54947ec84c02a303224a563674be790784627ee56ed7ff4bc0c4b1ae2
-
Filesize
6KB
MD560507a42b44e427acebb739f0c1bf629
SHA1dbbfddef4fa5c77c5f07b79e3f5e20d5740fd32d
SHA25682e91c615a2991a301ecfcda0d080f7804c83d1fe6d173e843458cbc1e86f422
SHA512728d56e0e9cf5cf4b0a4c9b6f12bb78d8fd76e6fe54c99cf500b80e467ecfbe1072d668022d6986a67fa3ba488061ae13d8f23296bee2e851c8237c9a5bd3d7b
-
Filesize
7KB
MD52a151001ef5823fcf224cf669676a4f5
SHA1c11bc6ea43f569b84c822687981d78307bf278b6
SHA256f4bf8e90c78f07bdb67f086cff40d52ca74ca7a263d67bf295d4e8d35eb0b1d7
SHA5129216a7afc8a8ffa54e544266c27619f7d67064e191707911c665a2d1a32410daf052e8134dca4f06108fe6322075cb43796026f79166021d530ea47937189daf
-
Filesize
10KB
MD5152caed31b4b52ab455ea220f24c50a0
SHA13792d824f1b3c7e5c7a1170cb4a72f636103a4ff
SHA2568400fd663b27bd2942800a13c66757db762c40cae97181fc2c4ef1f01c19827a
SHA512a1101ba31d15237d7c9162b86a90a95038681052da1531140d5c499489be718cb0b09bf58dff0f210b0f2fa145060390f4f084e04b094f6f93321bf228923037
-
Filesize
7KB
MD5c7495747e274a420771b0ccc93755172
SHA17a218ca6b1979a9a04ea35ab25db2a63853f3f9b
SHA2569c2a2893ed2e7540948b4f94720f87715206323905de83909ee55aa5cd60ec88
SHA512011ec5e23ffe26d1f3a480fe5b5324635bc4eb79cd9e19ab5a6d3d7a291738b4be8a8e8637731e65d9207a84b23c85ff460411e6bae648f1e6a16b05a08548c7
-
Filesize
25KB
MD59c40362da1c06d7e88940996c8dba551
SHA1fe77f9c7a6f8933e850acc23f76d8fd4ea855c34
SHA256947d80eeff374fc6396c563e1cc97e6bef48d00337b73ecc33bb2daed747986e
SHA5120db7b6b8e514015ef962638b600d8f0ca53a196d1682db3b5373fba7d2d54f84d8cda7e323973bd4e8e9e86fb982fd5b4d35f5926610576945fc4b2fd9ebabf1
-
Filesize
10KB
MD5e058bd77a4fc0e9ed2b0cd6c438c1f77
SHA1b955d53fa9a4fb3ad1920617085782b24c9f6545
SHA2565e5232621ff88f6016fe22235a68fb0a05d0a254abbf6663a7d00975ddd227c3
SHA5129aac73ca8fd4972348fb67762047cf9f7525fc5aadb98a12ac07e45783b1c64fba94cff3d8b06136507297e2c4bec653293b2c26667ff37aa929a8d108ede8ef
-
Filesize
10KB
MD565432aa174404b07d58dc54a0cca4aa7
SHA1a0110aaab7be3a80aad360574d09bdfb48d1a221
SHA25667eba0f7c6c485fbd3afd7a0a0fa2bf6264f1b1692c4e1957b8cf3bf190560e6
SHA512f518b4a47ff941c2d9301284e0931bf0458e812ee0e4d14e57c25ee363f6dd3d8511626ab80316750bee0f45b2dc7b54906e227cbb8dfd2e64cca30134c9e4ba
-
Filesize
7KB
MD5d96d25e638b97d08e9572e01d9ccabff
SHA1faf4814be2536e27373623792f64e5d6b53cbe69
SHA2560bb723184107cc2301732ea9c73fa12de9f88878acb1f1f4d24f8272f59c4f7e
SHA512765e4f1878b39499d092eb446b2214f3f67e33d5554f244f3f7a1722ea70fca8e7e0c7cc851f5b860f9ef25008a0e9497ec3a86ac0ed379907f9a4bdafb812ce
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\1122804188F6C797DC8046D20283A0585337BA1D
Filesize106KB
MD52b7b2f0a8dc17aa8cf9c6725b022f137
SHA143bf2a59dd92c410809c7d43dffa7b3442ba1228
SHA2563dcfe00d62dbbb4893e58c5dea4195ab808e1f2d055a2c281b287b93d28813bc
SHA5120b6e50363e38de8de84fd60e38a29a9bdb8871e26a67f7a3f77afa78ba5691a0a6195a0aa1ddb23237c95e7dbd224e893e2a0d6067fc221ad9a743637a423a12
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\1BE6367B7647F11B0DC9D4C52CFA6BB02935FA23
Filesize74KB
MD5747dd3a12e0b00ec6549192555379b90
SHA14b15fc460b4576725d971835bea52ec7d268903c
SHA256e44952c494a1029eba99726a5f079e171b41454ed300b1058b28505f2551433a
SHA51224bf758fca3460dc957299a0edbeecca3c05a52f1f6d6602061d5977a6ce70f8b77f32341bf4d6c9abb97f152bd8cfa96e12498683e3b722cf4e2e66ca6151c6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\21A7D5731DFA23DF1F2B625219D1B9B7A118D4C4
Filesize192KB
MD55f5a7ecb476b90bc5d138ab162cca91a
SHA182f9362ac3690e116e138c6ecd9ff674caef4fef
SHA2561cc6c89259582eb2d4850cacd2e3644b837ee9a377680a573d8f57ef24aa6633
SHA512da180a15ed54a368bce44f4b1e610dd2616021be189a7df0c86c4d364e6e5edd08caf46a542f738f80c29622c1cbb1e8e6c4e0a08c9b22382372c1645f3da07f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\22BF579BF7C80BF8AFD2869F60172DBBA6666047
Filesize199KB
MD534354a396bc22bbf83fcb1e7a460218a
SHA1e1853708ee93fc1af3dae13ec89a8396f9e3cce0
SHA25679bf1dfc6b3d5fd050e688792bcb7f73ed51473c774bb9e120d04ee90c6649e6
SHA5123254cd099f5818dceccdb8abb561a52ec7bc2af72e4b6468c685dc581ae475c18bcb6e6b7eade32b1f348005042018b1b1ea2f12e845d5389bf19019f452a6e0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\2B68D02AD6AD906DD0374EB16717DD7F664A5C96
Filesize273KB
MD56fcf97912ca01b4dc5dd9f5e9948eb3a
SHA10f0399152907de61d4dc4ea2ec3a58438e92e94a
SHA256f9e115f6b4b9fa2e06645786ca4354c47f93054aa2a2e8cc94d515fc39ceefda
SHA5122dbc242763fce34cbbb9de837778faca0c58329c8d8bd8970d1c91d24a450a23f3bbd69b2d4866f4d54d0e76b0707a9a104c1a950e5e524118dc3c81c5bccb6f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\66F7A28EA723B6E0F38FDD933AE945F828FD9FF8
Filesize144KB
MD5281fd8890a732bedd69dcc39333c71ad
SHA145c44f69752e4c7d53b9f808e854ffe3b2339059
SHA25619a6c708d951d24905ce2006352bfbca402197b4eee8dae5dd65d54e3d740a5c
SHA5127f3ad4650504fad7381fb3d099440f62163461379a86f8e5efb8b23e944a6ba4ff08dab446a1765383a0d7e75a3aa12bada63682203a90e2a5792d22b3283242
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\AA08C1E856F4A9E89997435AA0F1010083A5A42E
Filesize252KB
MD5f966c322bcbd7002465991cbea5b5069
SHA1681e99216b7dfc9d829fb8bf612725b63adbd910
SHA256504ad9af1a17266c2fa88b752a5410195bd04c7533e5dcd1ee58b9d98b4e6c0c
SHA5127a0d368be36211ab7acac88b600dec0ab239e28c5e4c3a858503c7cba110e7d3627f09f0f7f07205f27b8f94429b07ff5d48e60c57a99caddfb39761d00f6b14
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\DF94E1E789D70221FA47686B54BAAA3594B07FED
Filesize60KB
MD5d2d318516f8786808f304c0e69e76749
SHA13a6fff3faef4360aa4e38548317fb297d0c8d37b
SHA2569dc0af6d80b128dbd903b73c9115cbd6f2404967b800fb83e4152780dbf4864c
SHA512e310a20606d1df962bab24c4575362cce673dbee6d0f90f15df7c7e2499e6be8f959dafe7d891375d1491f1e2d95a9b25ecdfb481d5eae4d34a255d4bf9293aa
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\E0BD2C424A592398348731640071F0F4C8209E48
Filesize12KB
MD504d2164c22a6d421549d86a142c66f1a
SHA17444d6dc359685e11a97e68637b698b6d675bdb6
SHA256e9f15a5a742cd57044c588732125fb9d177a5d01c6b5537ba21148e8638ec222
SHA512b02bb9a53be0b93693dbfe18606809f51dd1746c25e77ec5db858a11d09f55f49c63776affd8a0a8018bec268a2407edfe6466dc6f227232f22746474d205164
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\thumbnails\d9bce9887e3945493aa3b293daa2ff8a.png
Filesize9KB
MD520ecc6bfdd28d46d5519af9c91b9760b
SHA1692d0d85f35e7d0c4e759ff9b5351c5410a118f8
SHA256ca0a15654ef6f49de39ba1c4a28e973095efed27032a7c4ae1dd5b1826cea631
SHA512e69c83c6e84ed22c126e9a032a20034ab7fcb725eb28cdf39bdce7927a3b906fd30ce22c4bf701ecd42c03d298fa21612f26d8837c58e100305183a3a4d558cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD56ef91414759c161e201e05ac3d2bf0a5
SHA19a185cf03c860677ada5b8dccf70c1599b45bd42
SHA2560b72bfef5b9bc904160c28812e3d86df328cd68a09febe9e99cc9f07948ff823
SHA51244aa5ce6b044251312053892c91795bf0d8939c2ad6c84e18e7443dd409db3c16a51787e33d0159d1de12bf595aa3f2ea4aa5f1759ca8f067bbdedf0141c4b22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize16KB
MD56dce585896a55401aebeac2c1ce2466d
SHA10e16aaa0aabf57270d8e6bb0b8ce9d0e3388bd98
SHA2562ede77efee845d599c8d8ace5fc10a9f22922fe4cfbecae9a8cc11ce8423d938
SHA512446e8da2641ee931ceed06e32d8d44ecb2d5903fc97529943dbad6f6b3e35433365517c4ea70fe818fcbf79249ecf27c1318730ccadef436bff46cd5aac1c05c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5e8245b347e9527af2f0ae3c34e094317
SHA16bbc742e9fd35bae9e73bd0c520bcb323f802304
SHA256e869e6e5f6db340dbeca40bb198d7a675f035cb17e0a47fbd29907f8298b72d8
SHA51226b1f098c747438c878d93d03699e83a3ab68b4705fa0398028a0b4246a37c532d81c245a221d00a05909b5b1235ee6698e0ab7574d3fdaff87abc6cbbba4f7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\b9390a31-df13-48e1-95f2-ae74626fa470
Filesize11KB
MD554814c38f3a9df152f7ffdfb62fad877
SHA136edd2a187aebbb9ceeffd282c10a5ed5ab0c350
SHA25686b4f6721155480204fc099c2a869a7c340799f9d9ef1d71ef31abd98c6f2e54
SHA512fdef1fff926ee7e47ac6ab46ac30d00279a0d472c3cc68150b6ab30cecf651690e0038c0979d1714509f3f8e6bee7e25c79e6908ffa4e6a21f6f43bbee7450f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\bb97fff6-0cb7-45a2-9b57-dbee0e9a7409
Filesize746B
MD57bd881d68d72a04efc5c5f9a460396c5
SHA1656c9b6ff6b203ed228826e6982bd9e97c11bc5f
SHA2565f91f9544ddcda574829a7e701ddfd0eaa0e98b4471beb028b9b6f833e7538da
SHA512050be208c36dbb51fe453a70aacd3f1a3f38f989b2d95156d97e4be5833dabffba72fcb51195807b98122a90988b6896ff516726fc2944189972866ce15b0af9
-
Filesize
6KB
MD5135574fc534a44053890e36a687f2371
SHA101fae4285ab5a3a9a95414c9e29205e66c563bce
SHA256be4359f4369eb41a6b6ce03b7cd77a4cced722b0bf3dfeecdc4cc40cb03f851d
SHA51274ac965aa0833baa8350b83e17dd2b962d974094771121134f6235178e2b097dc282a11869929744fa0fd107e0e3bc73d82d833b3d042a0acda4157dff9b9e23
-
Filesize
6KB
MD5adee79b78f554ef9122ddad8959a5dae
SHA12eaee96ed991b8920f072a43654d9ce3c85ac597
SHA25645ec69876951482d60a86752c92157c5e3fc25ddb6a263f2bce138da08d07497
SHA51250fcebdd2276320d1ef3d5905b496faac715e52d4c4f14fd63e17e304699434852d8fb84693accaa5792366790fd9084686d9ea958c837730fc7d1cdd3c6486c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD53aa8eb849b43de3499e49f8b18e7f480
SHA1ef9c01d5ea1e4f2b1aeaa74efab53f3ed9a65f69
SHA25604ca67932e43dde9234eb92b651c062351ca2a3295bb91c8687d10d1c79d6d95
SHA512b12da12efabc92f80cb876468ee2b3dbe0fb202e53f3ebd63070f9a8fc48aa5e08ce1314b22e2b7b7357c6a817c4fcdba0bb2b7ae81ee6f0fb498b144001f6b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5299747eb3e9520a3bc175ecc3a0e7511
SHA1bd248a1145c7fa70dd8f8381868dbeaea4a25378
SHA256406b3fb532c1cba0a030ac5d36c805ddd6629857252daca2a53d088532f54436
SHA512df303f2371b2d28640f8b05be6318b3b8014320e52ab690aad20e1f1026b97a40687ce3dd1b615851234150b26d3a2bfe9a5200cfe4bee979d550dae8a6a639e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD520819ae0ceb449d0a9bc6ac731146a8a
SHA180d879b7843e9445f2a531f26c474f89028085c3
SHA2563f86ad4c9074cce876036d662fa462041c7bde07145fdf9a1f7d75b8a4be5d2b
SHA512736947d486bc02a096bc8b068d8de7942aafe60e48ac9d15273a13ebdd2497ba2d894b391fa5a3e2c29bd9d1346ecc3fed30a314b58a9b82cbe5c2e3871f53f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD55f00db6fac5d02ee09db3187c3f3bcba
SHA149836dbd3521ba50176b5e606fbf90883a3cb561
SHA256b1db5935c784bc3155498cbe0a402bedb220897b0fa326dc3d539e34fbb3bcf1
SHA5122034cf7f5856cf0f4bf28f87778ab7131be50ceae8ea77d1e4fd3c389124478ddaaadcdef870fe52a04721bc56351bb9010929f4059916f10edfa5b8b99482f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD561e27e765111ed1ee24518f1839dc566
SHA131ca497a467ddf87a1fe2f50a19c0a2287684094
SHA256140314c0e21ca74eb78f6c21f3fdbe727d98a336f899ad703aa69c4ca9dcd77a
SHA5128ff4aee8a10b2f92cf459d12181ce69520798664a5aaab78582062089c15257e644205b2249889d5668235f729d6c8eaba9211a7353f72b8205b2b4ae8329a17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD56f99e37725675b4060d544f9d22b958d
SHA1b8688020ffc30bd2a6e7275defc2334e32a9e06a
SHA2567859e4c945e9a4ada13e103f412bb03b213a8f735f23aca6d7cecf273bd85db2
SHA5124bffb64ade37be910d4aa94e515df496f5978b0476edc59fcf851721000414a62d39c8deab8648392485b424050cf8d339ab53e1382d2f52ffd37a0821beedc3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5d08aa65efb3e5f268d53c01a2544c165
SHA14750247ea3b09cd103d3f64f8f755e1c913b5036
SHA25613eb2093886227b4adbf44d9d22384feb41e326ec6bf7c31691904c9ff7873ad
SHA512d7a59ec5c9d04a3ebb344bed6384c15a5b7dc5f12b0365e263b8b6157b35f5f5492f0cd39aba394330e838d8243925ddb181663716096f86f0dcc0db4dbf90c4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD533029e43d55ae7b08c1ad84c6208eb82
SHA177532663788b4faeb8fbfb7e764963dd5808ce5a
SHA256ce730f6f667c9c797a906639e23b9809c4c69db8fecdc3aee1289b214bfb6955
SHA5127f6dd2ac2fcad7db2843dc2e23049df0ed13dcc30521aa0026b5774f511105da9409df1a2a6b75bdbee17b9473abc489147c74a990a45748f7b6ff993c705bfc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5e61ae7f1bd11c5c2dfa6f8a6cc7a7d12
SHA1d9310d94c83e428293512985a10892f19aba61a8
SHA2562f3b44464a438307466c4b1c0dd91e6a4643bc84ac410a786befb05ccacdf98f
SHA51222ae0f1e74a725a24db4b7c78bd81b29f31bf43fc6313634cb4d1d309bac485096126e628e751d5ce5e51e7a6d5e8d86db9dab5c1266006e28eaff826e1a30b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5509485875d393d6734b4834d16793ee7
SHA13c93180eb610a14209dcd8af70f4600934ca372c
SHA2565046ec60e468b116bf33bc0265932b949b8d99497b5c68eae2bc2aeea6c27712
SHA512424816e9779a0ec8553e525f35e1d33762d08a81389709eb253c19f4b03a309953f9618c6d15705dce0c8b665b883c3ce261be902abb8b04dae870ac8860c9ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5e07a1cf454ed40e285e876cefe1c2cc2
SHA1b2af2398b33d768290a32bfe27a6c0ab9fd22330
SHA2567de4f6911b4c3d6f529ef92c451e21bb721b056debbbd1b2566579315aefdc31
SHA5121a98cedf8bac3e08ef939e97ef51c47fc2cbc091b7a79f9dbbdaee54a4a3949bc5bce8a8942fe94a01194a9c669f3c31b6facc0218cca9da6cefb2f9dfa0356a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD50dd162cd463229d1f86e58290614c9c3
SHA174a7244b40f4c95db87ff1f50e288ece70af7df8
SHA256085d35db8d994ad6cf6609509b20340d4679e3d10f8c9186ac6a1d41d01ebcfc
SHA5127559347d3b5050723eff0115e2fecff018852556e1a53df3d89524dadcbc8c817ffc345b8ac8d2c3116ab22446b7a9f29b651ff13e6612682647e807ee56b1b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD50d1163743d574e4d1dd76f0aca7cac2f
SHA1a9008828a410901962ec61996d889565c2538206
SHA25654cbd2bd5ae8793adb6f0586faed816e9a1189cc2e4fc8a59a271c37e1e67e8e
SHA51274d86b336f65c2bca01c21b2967066a1d70b60e863e99c5c5881ec7105277def94851a090591fa07758d491bfbac56cb86d5a5b9d8a9a954a7f3638da04188b4
-
Filesize
3.3MB
MD5f355889db3ff6bae624f80f41a52e619
SHA147f7916272a81d313e70808270c3c351207b890f
SHA2568e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0
SHA512bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb