azorult | 700b25ab3003c923f6fdb629d831d231712527823e65377f4b282eca59330f9a

Analysis

max time kernel
116s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-12-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTA_San_Andreas_keygen_by_KeyGenGuru.exe
Size

5.3MB
MD5

5388f1b8f720e0e9668a99d984fb96f5
SHA1

e9754e4b176f4b63d52029d6fc48b85b3553ea41
SHA256

700b25ab3003c923f6fdb629d831d231712527823e65377f4b282eca59330f9a
SHA512

70b8bf27c10fec89bd60030315394f7c262e719ed99c7befcacd140287165ae46b23df49f7832728d5bc4320230ed09af5a6a40e836af920c18501298033c848
SSDEEP

98304:ehhhNFPhzrPnIGfm/1oiAktEcCFNr3tkX9AMCScsZmuKfTxsH:ehhhNFPdrPTfm/gk+xtkMScsZmuKfiH

Score

10^/10

azorult pony collection credential_access discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://upqx.ru/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 3 IoCs

Processes:

keygen-pj.exekeygen-step-1.exekey.exe

pid	Process
4584	keygen-pj.exe
5052	keygen-step-1.exe
4048	key.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exekeygen-step-1.exe

pid	Process
1580	rundll32.exe
5052	keygen-step-1.exe
5052	keygen-step-1.exe
5052	keygen-step-1.exe
5052	keygen-step-1.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

key.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	key.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

keygen-step-1.exekey.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	keygen-step-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	keygen-step-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	keygen-step-1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

keygen-pj.exerundll32.exekey.execmd.execmd.exetimeout.exekeygen-step-1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-pj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-1.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exekeygen-step-1.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	keygen-step-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	keygen-step-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1372	timeout.exe

Modifies registry class 3 IoCs

Processes:

cmd.exefirefox.exeMiniSearchHost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

keygen-step-1.exe

pid	Process
5052	keygen-step-1.exe
5052	keygen-step-1.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

key.exefirefox.exe

description	pid	Process
Token: SeImpersonatePrivilege	4048	key.exe
Token: SeTcbPrivilege	4048	key.exe
Token: SeChangeNotifyPrivilege	4048	key.exe
Token: SeCreateTokenPrivilege	4048	key.exe
Token: SeBackupPrivilege	4048	key.exe
Token: SeRestorePrivilege	4048	key.exe
Token: SeIncreaseQuotaPrivilege	4048	key.exe
Token: SeAssignPrimaryTokenPrivilege	4048	key.exe
Token: SeImpersonatePrivilege	4048	key.exe
Token: SeTcbPrivilege	4048	key.exe
Token: SeChangeNotifyPrivilege	4048	key.exe
Token: SeCreateTokenPrivilege	4048	key.exe
Token: SeBackupPrivilege	4048	key.exe
Token: SeRestorePrivilege	4048	key.exe
Token: SeIncreaseQuotaPrivilege	4048	key.exe
Token: SeAssignPrimaryTokenPrivilege	4048	key.exe
Token: SeImpersonatePrivilege	4048	key.exe
Token: SeTcbPrivilege	4048	key.exe
Token: SeChangeNotifyPrivilege	4048	key.exe
Token: SeCreateTokenPrivilege	4048	key.exe
Token: SeBackupPrivilege	4048	key.exe
Token: SeRestorePrivilege	4048	key.exe
Token: SeIncreaseQuotaPrivilege	4048	key.exe
Token: SeAssignPrimaryTokenPrivilege	4048	key.exe
Token: SeImpersonatePrivilege	4048	key.exe
Token: SeTcbPrivilege	4048	key.exe
Token: SeChangeNotifyPrivilege	4048	key.exe
Token: SeCreateTokenPrivilege	4048	key.exe
Token: SeBackupPrivilege	4048	key.exe
Token: SeRestorePrivilege	4048	key.exe
Token: SeIncreaseQuotaPrivilege	4048	key.exe
Token: SeAssignPrimaryTokenPrivilege	4048	key.exe
Token: SeImpersonatePrivilege	4048	key.exe
Token: SeTcbPrivilege	4048	key.exe
Token: SeChangeNotifyPrivilege	4048	key.exe
Token: SeCreateTokenPrivilege	4048	key.exe
Token: SeBackupPrivilege	4048	key.exe
Token: SeRestorePrivilege	4048	key.exe
Token: SeIncreaseQuotaPrivilege	4048	key.exe
Token: SeAssignPrimaryTokenPrivilege	4048	key.exe
Token: SeImpersonatePrivilege	4048	key.exe
Token: SeTcbPrivilege	4048	key.exe
Token: SeChangeNotifyPrivilege	4048	key.exe
Token: SeCreateTokenPrivilege	4048	key.exe
Token: SeBackupPrivilege	4048	key.exe
Token: SeRestorePrivilege	4048	key.exe
Token: SeIncreaseQuotaPrivilege	4048	key.exe
Token: SeAssignPrimaryTokenPrivilege	4048	key.exe
Token: SeDebugPrivilege	1600	firefox.exe
Token: SeDebugPrivilege	1600	firefox.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

firefox.exe

pid	Process
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

firefox.exe

pid	Process
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe
1600	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exeMiniSearchHost.exe

pid	Process
1600	firefox.exe
5624	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GTA_San_Andreas_keygen_by_KeyGenGuru.execmd.execontrol.exerundll32.exekeygen-pj.exekey.exekeygen-step-1.execmd.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 4092 wrote to memory of 5952	4092	GTA_San_Andreas_keygen_by_KeyGenGuru.exe	77
PID 4092 wrote to memory of 5952	4092	GTA_San_Andreas_keygen_by_KeyGenGuru.exe	77
PID 5952 wrote to memory of 4584	5952	cmd.exe	81
PID 5952 wrote to memory of 4584	5952	cmd.exe	81
PID 5952 wrote to memory of 4584	5952	cmd.exe	81
PID 5952 wrote to memory of 5052	5952	cmd.exe	82
PID 5952 wrote to memory of 5052	5952	cmd.exe	82
PID 5952 wrote to memory of 5052	5952	cmd.exe	82
PID 5952 wrote to memory of 1224	5952	cmd.exe	83
PID 5952 wrote to memory of 1224	5952	cmd.exe	83
PID 1224 wrote to memory of 5068	1224	control.exe	84
PID 1224 wrote to memory of 5068	1224	control.exe	84
PID 5068 wrote to memory of 1580	5068	rundll32.exe	85
PID 5068 wrote to memory of 1580	5068	rundll32.exe	85
PID 5068 wrote to memory of 1580	5068	rundll32.exe	85
PID 4584 wrote to memory of 4048	4584	keygen-pj.exe	86
PID 4584 wrote to memory of 4048	4584	keygen-pj.exe	86
PID 4584 wrote to memory of 4048	4584	keygen-pj.exe	86
PID 4048 wrote to memory of 1044	4048	key.exe	87
PID 4048 wrote to memory of 1044	4048	key.exe	87
PID 4048 wrote to memory of 1044	4048	key.exe	87
PID 5052 wrote to memory of 1108	5052	keygen-step-1.exe	89
PID 5052 wrote to memory of 1108	5052	keygen-step-1.exe	89
PID 5052 wrote to memory of 1108	5052	keygen-step-1.exe	89
PID 1108 wrote to memory of 1372	1108	cmd.exe	91
PID 1108 wrote to memory of 1372	1108	cmd.exe	91
PID 1108 wrote to memory of 1372	1108	cmd.exe	91
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 2500 wrote to memory of 1600	2500	firefox.exe	93
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94
PID 1600 wrote to memory of 4304	1600	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

keygen-step-1.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	keygen-step-1.exe

outlook_win_path 1 IoCs

Processes:

keygen-step-1.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	keygen-step-1.exe

C:\Users\Admin\AppData\Local\Temp\GTA_San_Andreas_keygen_by_KeyGenGuru.exe
"C:\Users\Admin\AppData\Local\Temp\GTA_San_Andreas_keygen_by_KeyGenGuru.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5952
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
    keygen-pj.exe -pAevKviq48c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240630125.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\timeout.exe
        
        C:\Windows\system32\timeout.exe 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1372
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04585987-4813-418a-99ee-cb905ed97bfe} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" gpu
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2316 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd647355-bab7-464a-aca5-ff0d000c1894} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" socket
    3⤵
    - Checks processor information in registry
    PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e70c09c0-6490-491e-a7b5-202172b754ef} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:6088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ad23ba3-ecdf-453d-9258-ceb2cff35a12} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:1524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4676 -prefMapHandle 4672 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c05637ce-1137-40d9-84a7-dfda8f60cdf6} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" utility
    3⤵
    - Checks processor information in registry
    PID:5192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 3 -isForBrowser -prefsHandle 4560 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f75b925-f82d-410f-b6c6-ddf4afa49ee0} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:4048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5616 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a59e1a43-efd1-4769-a5ec-2133a865780b} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:5516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5584 -prefMapHandle 5548 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab432e6-4e16-43f0-9777-2daadfee972e} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 6 -isForBrowser -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2763cffd-6641-463d-8a52-1f40ee172ca6} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:2500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 7 -isForBrowser -prefsHandle 6088 -prefMapHandle 5584 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02de4542-86a1-4d6c-bbac-d5c22ef8eab8} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:3816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6544 -childID 8 -isForBrowser -prefsHandle 6464 -prefMapHandle 6468 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a4f0246-3419-4d94-8822-114b0add1667} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:4556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6744 -childID 9 -isForBrowser -prefsHandle 6776 -prefMapHandle 6792 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b85a6d-727f-44aa-883d-8e8ac360e2cb} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:5436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 10 -isForBrowser -prefsHandle 6256 -prefMapHandle 6272 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf54ee92-5020-4918-871b-f93e81b1509f} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab
    3⤵
    PID:476

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
cf9f60f037967b8ea16330c4da5f74f4

SHA1
9ab859320de2eb50495b3713a1a3bb5f06be4685

SHA256
e276ce98e175df60392cc3cfdc0557425e14855017cb1fd2275271be3cee8cee

SHA512
984fed4912afde7a3234c0e602df79d321c57be8eccbd7bf460c01a2813983b7c9f9dd6d0c12bc154955c42d722754ed0c443a4e09c940d4354ec0730137c972

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
71a6b59e08e25451e52675c842fae23c

SHA1
565a97673954a9209c7a05fba20b89d10b88025f

SHA256
5b96212d3d1347b76c8c1c64b2f7ef981242bedd3b84b766b543d56dbbf8dbd6

SHA512
5cc98eb2aa02e2e69165170451d89dd880893e6b07440bb84fbab6cf92cb558bd58c2235d8d64ff43d380c5e9869827800d310ee67950bb21b498d89fbb5aab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\240630125.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\87C11D90\mozglue.dll

Filesize
135KB

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\87C11D90\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\87C11D90\nss3.dll

Filesize
1.2MB

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
C:\Users\Admin\AppData\Local\Temp\87C11D90\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe

Filesize
363KB

MD5
c0f34f38475aa244c9c8696aeed709a5

SHA1
0194b56c80c4b5192873400fdc96ce7d8df682a2

SHA256
831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046

SHA512
15defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

Filesize
112KB

MD5
43eb47b71c9f1003adc2d0f108d2679c

SHA1
5965eb51d289dc79ab56cb995d47f371472d4846

SHA256
913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1

SHA512
7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl

Filesize
5.4MB

MD5
6679149b2ff88e49736c4044c9d95f8c

SHA1
015d23b0578f6942bcb92a2426a3d800e31b10c8

SHA256
06478b53a8c21e1f7d82b6fa71c028f347e612ab8063d1c1311f298242455c3b

SHA512
94b5c7833aba332e330b12e5bf2884d4bdd98c6fac05775f31b36ef65b53129cd22c61e33d9bdfbae3feba65ea257403735446e895c98392170c6e2261b3ee2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

Filesize
97B

MD5
b7da5b5251bfd8f57cbac943155601a9

SHA1
133751b2b7a68a92ad1e21417dd4d2b1d44cc2da

SHA256
023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee

SHA512
7e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Filesize
103KB

MD5
2fbf80a7ba32f036bb97a2d0d909283c

SHA1
ed00a832320f3806ef3ecacfb54356e55b8e713f

SHA256
aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee

SHA512
a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
6KB

MD5
18ed59546c012e1840a4f14053ddd31c

SHA1
f880e5a36a5e9cee42bc75e5af36a44675c3f96a

SHA256
5b97eb59a1154663809d72086655942a9b274beb8c9614f523a9b4883b067384

SHA512
a4d11351c5eec9eae0db7f4e227a072162fecd936b5576f6cce26ffc0580e697ad90e467d1600bacfacf9bde6fcf7737fd2a2a608336cf923eb7f35a1ce1f88b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
11KB

MD5
936b8a59d6bc62fbdc14cd28544644de

SHA1
e2fd859a14a862493e904b024f1196b907048d90

SHA256
62748bef56139acc592cb448e6e3da64549c714fe2879028607a243701224c20

SHA512
b6fd2bb6aa8feae11a96b59a1f52fd167ab47cc65c092589b7f83a825847a6c231affd41e2201e6a0550f4a129e4faea6d82b31b592d324ba2a6a02ea9565ddc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5478f411adf9d1c45321de918020c16d

SHA1
13f2a23118d6080fd7571a07f74c64ca8069baac

SHA256
d82932eb2d20b7427047c6a89a9f6679ba1a9d3aa8ca1e5eda4be7f9961bb8f4

SHA512
85c343531b41a24edde199514c11f52bb7e8268713d48d354db9a7efa79afce65d8d2b429ca825f360061f5f4281c6c68d1e6be08ab234b5db82859c9383a113

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9a60e69d311668add7ef3831c8086923

SHA1
62ce3084e725d514357aa2cc3242714f2d16999e

SHA256
8434ab841f4cf7dc25e0c99244d915ecc0a6ca2d885cc6cbe19d4359de6b9af6

SHA512
12e09747696222a2eb41705dbcf20dd257259f37208751c068552f3c96546c750f6facfbe3b4a4eaf3d23a56b343ee4a248e9f49dc352c35684f6b561f6248f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
8c45b826c1d19fdd6055cafcf5c19172

SHA1
09734fd0e545309379d5a0f0f2fb08b05272434d

SHA256
3f4907699728375d6d0bd4a7f98e5dec5ee65d52caa0a446971cd4667686c48e

SHA512
7314043ff3c29e0788865c2e7fc76562e7f3e3bcaa48132d458c1d5a7107be37a61ed9838fae7ea8089bfb4f50af751548e30448412e60e4428d5dba6865d9d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
65c593c8c25aba10d9e605a93b403493

SHA1
62f00034fce1bfa21a40022f54854f1161f6362a

SHA256
99b6f0a5a6b1ef5afc127c353c4d286cf75d443f01ad2a37a147d0bb42d5c96d

SHA512
fd0441acf9772adf1bf1e68f42ebfe954ad76ef3c7f7f1236a02fff291e69fea8c213f1c74e011bfcc0e02073f2324557b69b959fc992e14197caf11d4de1f64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e04763de15130f2a2f60104d01c09bf5

SHA1
35bdd483c1150443f0461a68525fe24c605c67d8

SHA256
5dae938ef22fd3597667aad1def3a67ac9e190497b64cf614c499296fb652a25

SHA512
692efe7cc86c0c677fbe14533dcc3f09a19066f7064047e5e25b969414d5aa818e83d40ab988ecdffdad95a9ec54d83eece576f9e53a9941e7911676150ad525

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
bbd501e8d5b3abd328f2b9f11f237117

SHA1
1f20019482be47a71f740a025e729d83c8afe2be

SHA256
411bc5786c09c060ebc77646e1dfe65f5294ef4aec7dced81cdf95ddb29c3e29

SHA512
319f4dcb20d8a4d8fb9e1301765e35feb86f9896bf22300519440ef58100f5d00c523d720ba3205c3308a1cf6a07d2826ab0cbf14899f2daff5e43413f866516

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\1df1fe26-5107-4bea-9aa2-beb8e753a3be

Filesize
671B

MD5
990cf633e863056c00950504e10e559c

SHA1
20bc51c307bda8df97d5cf3c7e87bb9c647bd7ea

SHA256
cd6e21e79b4086e50ee96f70f6aba433e5c2f1364736c6890ef21f781686d240

SHA512
be7959c2ce09a6613abb79ab67c138b3e8f698256a1f8e87b5c93d8234aeb67e0fe1460bb6e252bc4f7dce527cb8394070e1bfa9ddaea65ad076af1c6d565053

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\43c68c49-3ed4-445b-89a0-0e7345dda361

Filesize
982B

MD5
c636166e7899e9a78e3aa9dff06c1aac

SHA1
4f5f621718474f4e6dd6f8a3cd35f8673547923a

SHA256
3733e0c2cc52419d440a315c8c50b684c4c8af5c2a9b0c4207947904a2130a7c

SHA512
bd1156400db7ab25f13e0064f8ce6183f3f2b8102aea417871ea210e22b78d4dda52b78a4749ff83e8bf79c83fd2f2d59bb4d65f822161ef0a6f4ff3cd2433b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\6b7dcc66-5d39-4e9c-bceb-65a89a97841d

Filesize
25KB

MD5
98a73635a51ad263c16988b99eb25671

SHA1
c31caf05b25586f7d5a03d8b322a8803f39bf27e

SHA256
7f3200ce714a93c112592674c97fedef29540c1e7b440c6f53bbbf1d7f64116b

SHA512
f89b35249af20cba13db0ebea2640013cdef45465bc9b20b79aace3cf995a52ee391bbb65210f58e20718b49d175583a02eb047cdc0bf46fad72e29f83e10c39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
414b3c9f8598f4a63be7c389269f2e27

SHA1
4ce711ed967dc5bf76ad7b69fb2a5c67b701eaa8

SHA256
14ecd812135fde2e7fbdeb49ce14f2c4fdf7bec6404954d2928922c309e434a3

SHA512
55d232fc06f6ed2502d1c6a7f03b338f22e26305ea2670ad9fb32d84bbaab25fb0e9b8b564d9cb09ccc1338f86c56936387dd923020d645eb35f6e84768665ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
10KB

MD5
c0d17c3be10db3d00c61a67d8547b871

SHA1
50deecef72d197388c8b6619642db91c1a740290

SHA256
2d6d60e550b25c33b7b4a24cabd34ff75f4c1fba0f52e653ea075f371f3a9396

SHA512
37fade6872eff21f25fccef320f340af5da36cc081a13833956e6ac75014e702ceb96f3b56ba5e1302936ba5f62226ed33746509d8139ed75f501e010780f6d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionCheckpoints.json

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c4f41b9fd9fd1c421b77590529713dab

SHA1
84d4b285053092558ca167b0a34375cc8e2c27cc

SHA256
8cd540e49a69aaad2541f0ef2adee258518521c1c51a5f926c9e745ef7ea5c94

SHA512
534a1f9f8113b36c2e4a32ba8c7a94a16acec781af11e4e3e6887a582f3a7a8e9f29d3491fd538fbc26851cca84043b7be7724aaad8c6406ed53be74eac99180

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
b9f277fac5e197b9d9535615feb2d7d7

SHA1
e6130567f4d7acca9155c1173e208b7d854ea750

SHA256
880f14cc9886f10c25db1b8faa5afb4b4d8f96a8d5e06c57909773851534e14c

SHA512
ff1d1bfc423fa548e2131ed29039aea9cdec672ba13a4fb6a78f879164774208d5059b8d97ea1adb749a41664a82b7e7752c77814743801f43d7f1197057b23a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
e6a85de98bd60aec736c1a761823e546

SHA1
55fc75d7f4194d8dd2b81fba19416a6057392110

SHA256
c76cfb5819775ae07322ae82ca6971086401491b5c4dbcc703495758abbccc8b

SHA512
5e9f81075f5513dce164de423cf26044e23b5f0d47741a28c722a66139cd38a9d37e40755268936d04fe4b84bc69cb72d6f4653fd732f73f0b56a5cb045d73e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
02ad8fa5605b9ac580f068d85151966f

SHA1
d46b6b959f10dca0434ef108893235a9a7c73719

SHA256
0f1b95a01b6c768adf247a402ef00cacfa9294b9472b56b1e2d27943b8a911a0

SHA512
bd849014e0309553cee1ea872afe3e3e698be50b5c58220a3bced1bf1c44964193be8864d5f55d7e22d817731ec66d86fbb76833a7c64483ecfbe3b7325f6912

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\storage\default\https+++keygenninja.com\cache\morgue\98\{a8b34728-7b22-449c-8024-9dc29236f562}.final

Filesize
482B

MD5
01e70a3e72567dce8cecd11afafcea34

SHA1
07ecf7529bcfcc9f1b890fc2bfdb92115abb8f9f

SHA256
8ca82eba11ad08609b61e82b391d02447ae599962df83a910d9769f222a6bc04

SHA512
c12ceb65f4a3ac09f7fc71afd85485b9e27588b1a6366f36c32f12d0aeb3c47aac4a916d4447544e60c07714535ea16045873849cbd1b6a688c13d55cf55c44f

Download Submit
memory/5052-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download