hxxps://insespriu[.]imtlazarus[.]com/index[.]php?user=ecvale21@insespriu[.]cat&device_uuid=1f008cb9-87a5-4a0f-a70d-b790fad32737&category=34&url=github[.]com

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://insespriu.imtlazarus.com/[email protected]&device_uuid=1f008cb9-87a5-4a0f-a70d-b790fad32737&category=34&url=github.com

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6029DDFE-C895-11ED-B7D7-EEF7611730E8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Salwyrr Minecraft Launcher 4.jar:Zone.Identifier firefox.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3968 firefox.exe
Token: SeDebugPrivilege 3968 firefox.exe
Token: SeDebugPrivilege 3968 firefox.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exefirefox.exe

pid process

5064 iexplore.exe
3968 firefox.exe
3968 firefox.exe
3968 firefox.exe
3968 firefox.exe
3968 firefox.exe
3968 firefox.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

firefox.exe

pid process

3968 firefox.exe
3968 firefox.exe
3968 firefox.exe
3968 firefox.exe
3968 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Salwyrr Minecraft Launcher 4.jar:Zone.Identifier	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3968	firefox.exe
Token: SeDebugPrivilege	3968	firefox.exe
Token: SeDebugPrivilege	3968	firefox.exe

pid	process
3968	firefox.exe
3968	firefox.exe
3968	firefox.exe
3968	firefox.exe
3968	firefox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exejavaw.exeOpenWith.exe

pid	process
5064	iexplore.exe
5064	iexplore.exe
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
3968	firefox.exe
3968	firefox.exe
3968	firefox.exe
3968	firefox.exe
4616	javaw.exe
4616	javaw.exe
5880	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 5064 wrote to memory of 1020	5064	iexplore.exe	IEXPLORE.EXE
PID 5064 wrote to memory of 1020	5064	iexplore.exe	IEXPLORE.EXE
PID 5064 wrote to memory of 1020	5064	iexplore.exe	IEXPLORE.EXE
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3376 wrote to memory of 3968	3376	firefox.exe	firefox.exe
PID 3968 wrote to memory of 1476	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 1476	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe
PID 3968 wrote to memory of 3776	3968	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://insespriu.imtlazarus.com/[email protected]&device_uuid=1f008cb9-87a5-4a0f-a70d-b790fad32737&category=34&url=github.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.0.1582570209\2089384839" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2728eddd-97c3-440e-9f6a-ebba50bda4f4} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 1932 1e5aba16558 gpu
3⤵
PID:1476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.1.40820274\1602242818" -parentBuildID 20221007134813 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {760765ea-7402-4261-ace3-d0b4878c4b8e} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 2336 1e59da71358 socket
3⤵
PID:3776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.2.1044840948\1863498513" -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 2968 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5528ee-384f-41f0-937a-dc7412220545} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 3216 1e5ae636258 tab
3⤵
PID:2064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.3.1774890755\1907272627" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3392a96-11ae-43ff-aab3-e2f220ba97be} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 2520 1e5ad58d158 tab
3⤵
PID:3980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.4.1340808379\599846951" -childID 3 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ce7939a-d5dc-4314-a38d-62d6d0a1fd05} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 4044 1e59da61f58 tab
3⤵
PID:4448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.7.267705561\1663860744" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2de667b3-5221-40b1-984f-e8aec6bbd377} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 5268 1e5b0ac1e58 tab
3⤵
PID:5580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.6.1294236709\104518135" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d0d065-a8f6-4844-b71f-20234b91b4d6} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 5084 1e5b07b8958 tab
3⤵
PID:5572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.5.824482320\1247640122" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4920 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7141e052-4dc0-4682-a3ca-ae8cf652a86a} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 4956 1e59da72e58 tab
3⤵
PID:5564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.8.1710723316\130613773" -childID 7 -isForBrowser -prefsHandle 4924 -prefMapHandle 5600 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47c22e41-1ee6-4c49-abc7-74f1e2637602} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 2876 1e5acdc4558 tab
3⤵
PID:5888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.9.695713626\753273423" -childID 8 -isForBrowser -prefsHandle 4628 -prefMapHandle 5892 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52e22f5c-f5f1-4c5f-a8ad-764167588b8b} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 5924 1e5b2467d58 tab
3⤵
PID:4364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.10.1615712110\1281216946" -parentBuildID 20221007134813 -prefsHandle 6060 -prefMapHandle 6044 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {505dd745-121b-4e96-b1fb-e80dc8cf2964} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 6116 1e5b22f1858 rdd
3⤵
PID:216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3968.11.280530273\77024421" -childID 9 -isForBrowser -prefsHandle 4636 -prefMapHandle 4744 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e43253e-0a73-48ce-8f12-0bcf4f6137d2} 3968 "\\.\pipe\gecko-crash-server-pipe.3968" 5492 1e59da6e558 tab
3⤵
PID:5940

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Salwyrr Minecraft Launcher 4.jar"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ""C:\Program Files\Java\jre1.8.0_66\bin\javaw" -Xmx512m -cp "C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\launcher.jar" fr.salwyrr.launcher.frames.Main --salwyrr salwyrr "
2⤵
PID:5072

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw" -Xmx512m -cp "C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\launcher.jar" fr.salwyrr.launcher.frames.Main --salwyrr salwyrr
3⤵
PID:3172

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:1156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
90a819e611c2687f4a26cc5bf90e1a72

SHA1
64305131c1483d783399d9c64bff1aff62cf2030

SHA256
2ac8d1189d2266f2b354027190a0c2c324ac1982c9cea5dcbe1f7dc283c8da5f

SHA512
b88db2438bf90e6cc47b5c4b3a37a7f6ca68b50eda05a72df0cc439a86f2433e06a1e616c4a80441afdf6ee1fe6178e85390f876b20e39cf4979f12eaffa9432

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
Filesize
142KB

MD5
de1a793b3a2600a509755be2e9ff2c2f

SHA1
30b13e910525c56c079df11eb5bb1bc3d27c574f

SHA256
7bd7b516d78df177de31f9c140023c89ae91324beb871a991b4409112de3149c

SHA512
e453b6e6840ddd6fcd5747264d75884dfaf841873b3da8b3fd7e5ff7f206fda309597f5d11a11ea3af4b1f22ff5e46c7f58e955fbf9ab6485b9546a0342f57bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5541466947214346093.tmp
Filesize
3KB

MD5
59831fdf4453bea0a039b813e9d8236d

SHA1
5ec5558c3ca5704931a935ef165847fc7a7e333d

SHA256
106017ade1a102169cc96dbee614bc56df5f60a2826653bca223ab8423113ce0

SHA512
21ccfbe10fb7fbd857edb3e8f10e2a58a17ff9a08eb9e1b64245dad8b6925a19df89d142e847600a64a0453a152654559a4654e3367f51f0c3e06e03298751ed

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\launcher.jar
Filesize
3.9MB

MD5
a9e78430f811dd1ebf237bbbdc2d4344

SHA1
bec6cd5e6d16066119de1b4ac6db764b56868145

SHA256
449b6ff61e01832256b1f0770908ddeee7faa062c3689cdff1b591dc30dad313

SHA512
cab14833636811f33a1148d982dcf29b2a08ba23149dbd16b56bb623c099f9540a05e40e122f684507be9991b1952b013834b784c20aa383229a75b7b82f0035

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1013461898-3711306144-4198452673-1000\83aa4cc77f591dfc2374580bbd95f6ba_378e8bf1-7517-4d84-8459-4934a33614da
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
8522038132ef208254d2c6a698e25f16

SHA1
ef21ef5ff3a0e797ec8dbea487d422482ca7501c

SHA256
583287c6e65b4e722f5fa8630402855345ad83d0f7f503c379bd0c11454ed8be

SHA512
3101684edb9a6bf4d74a033c5f5b318529f895e0ea22852bbd9a3aa55f53a23d3529fe895e79298e14195837ad208690724ca6ca99f97d86df59494ed708e48e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
f2d041379a1bad1dba31147e43969cd1

SHA1
7d4465c8c82267f9a8f85b3e700173148b01f68f

SHA256
79a7b4f39b7d72ff9a4023d3d76ce3a273abccd8317523b84a24b1a446659ff1

SHA512
b2b128bf215f5de0f1dac9e80539d90e6b7675825578d73e41125d9a067885f7c97495b7b794da53d82505bfa97111cf3839d8e4f977ff24b23364260ec4d17a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
e42f77cd361f1c67f4ab611eef030890

SHA1
b65d21213f02a550c7a995aa3bb7406a2bf5713a

SHA256
8da1ea90f4be46f4d837b9885ae5d4c56f304564c4e52460646c57ee15b91205

SHA512
9c74210574847a393039a2bf39b31eb7a3d11a767fa611ea5c9540d005fd1b2dc516abc1893c54e85aab4e3443dfbde35ba055cf1008f2ebcebc24f50795e52b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
e5d6a11b515edc907ddda79fef4f14ea

SHA1
2c1269dd475dd0d8081294c062ca0240accde54a

SHA256
afe2421e29511c2c41585d0eb26b2fa5fbfc122505a32474c4f2a008fd119b02

SHA512
6c17803a79b46dacfdf59b0c304c44e49afe6637beba7384e95516ee560e91ca64f9c20818bac685004c36876f8a30dc963ee786206826bfef7cf74f35ec8828

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
32c6841f519230c1ac5e97ea0edd312d

SHA1
0f1ffa34dc7976f49daaa85d8842e893437392d9

SHA256
2199055478f98f90f033625572bfafa9d7e48439f3d93b62f1e1dff6f8918b96

SHA512
ac2e4ba9b5e720ec76a18143441eefaeccfec0ae0a07e6738f52395a710d8044043c0104f5f55c53c918b34faee34f2218e4f56fbbbf73bc7899999a09a28a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
3abad1cb36978d04ca72b2709bc532ef

SHA1
a07fdafcb8475e022d22f8c4d33e0a14fe87653f

SHA256
8ce9b9f3112da87d2aee6025890660f9774fd183067330753448b1cf9e55584c

SHA512
0c9b08a167fbc76393791c129aedd5823f8dc92fb70938a2910c68c7dcab0585a0d6ced0ecd6e9606f152576ab104a464ab1c7523b079ee7e476d83be45813bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
38c21043d544ec3a8d4930a684373d85

SHA1
1cf959a5c0220965f1c13f669593d78ba0c5bb0e

SHA256
b3a6fc9cea24f8991e97308db952da073e8d96d9a03bcc25b2a2e3570238365b

SHA512
1c178312b2f4f40b4051d96457f73da599cddabee9760482232c692a2986e4ea5743cf62980b266b2fe4b43c87482e3574833b9025eaa342f4861cbcff1de631

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2232182701SeesravbiacteaWDosrgk.sqlite
Filesize
48KB

MD5
360b5489147fd3a4ecf42442da29d058

SHA1
7ac808fce126da2a282b82bdb6f934234a963980

SHA256
e52effcea7684ec99d33c739849043093d857b8c020a92f51f19c6dd64ce8846

SHA512
3eb95d65845e0c5bc0c27dde367b4964ba981a98b7e3a30c1596333a73c1f66c6c6a2d407526b50cfc9b40697f8ac20e596d714146d7353857b541d785ce01e7

Download Submit
C:\Users\Admin\Downloads\Salwyrr Minecraft Launcher 4.jar
Filesize
807KB

MD5
a616e898ea735980492f41da00f88f39

SHA1
6de46eb8ddc768bb6652d45fe59904371e153c5d

SHA256
f018c09f5f093f5aa02fe54efb36d2c79382da298bdd16731f22a51ad69bf240

SHA512
130337c5738e9cee84dff629c5d4a34f9b2bbf587e7b0eaa518075a76a8086854e7604c9ae23455eca239fbbf36c3c1472b477d306a347a1dba9b1c63c61ee3d

Download Submit
C:\Users\Admin\Downloads\Salwyrr Minecraft Launcher 4.qZ5NOd78.jar.part
Filesize
807KB

MD5
a616e898ea735980492f41da00f88f39

SHA1
6de46eb8ddc768bb6652d45fe59904371e153c5d

SHA256
f018c09f5f093f5aa02fe54efb36d2c79382da298bdd16731f22a51ad69bf240

SHA512
130337c5738e9cee84dff629c5d4a34f9b2bbf587e7b0eaa518075a76a8086854e7604c9ae23455eca239fbbf36c3c1472b477d306a347a1dba9b1c63c61ee3d

Download Submit
memory/3172-1210-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3172-1295-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3172-1313-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3172-1314-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3172-1333-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3172-1337-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3172-1370-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4616-1186-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4616-1177-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4616-1122-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4616-1111-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4616-1102-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4616-1077-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download