azorult | 6b0716c393a9ca8f45642d8294022c25781dfee1ccd83b1d04a66cadc519edf2

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru.exe
Size

4.9MB
MD5

510b4b10293559f94ef23cc1d85b106f
SHA1

1e006333dee51cb4ece00c55edea7645e9f492ce
SHA256

508b26909f773ce2d08f74451821ffae3645992ff6832db06a4f87acb988c3be
SHA512

d5cbf189be667012992c668e974d666d01691a74528cf0375b77a1aec6e8f7dc589764b738153fc52beebbbcfe3f3064779cea354dbc6eefbd60a37aa6a54ed8
SSDEEP

98304:ehSZcczCkoJA2I8ubb2b/Rf8jjaG/xN1rD4gVE6sV/TeLuBKkgO:ehS9CkoXIMqjJflD4gVGZeLpkT

Score

10^/10

azorult pony collection credential_access discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://upqx.ru/1210776429.php

Extracted

Family

pony

http://top.regdnl.ru/bussin/gate.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 3 IoCs

pid	Process
2820	keygen-pj.exe
2772	keygen-step-1.exe
1640	key.exe

Loads dropped DLL 8 IoCs

pid	Process
2820	keygen-pj.exe
2820	keygen-pj.exe
2820	keygen-pj.exe
2820	keygen-pj.exe
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	key.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-pj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2820	keygen-pj.exe
2772	keygen-step-1.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1640	key.exe
Token: SeTcbPrivilege	1640	key.exe
Token: SeChangeNotifyPrivilege	1640	key.exe
Token: SeCreateTokenPrivilege	1640	key.exe
Token: SeBackupPrivilege	1640	key.exe
Token: SeRestorePrivilege	1640	key.exe
Token: SeIncreaseQuotaPrivilege	1640	key.exe
Token: SeAssignPrimaryTokenPrivilege	1640	key.exe
Token: SeImpersonatePrivilege	1640	key.exe
Token: SeTcbPrivilege	1640	key.exe
Token: SeChangeNotifyPrivilege	1640	key.exe
Token: SeCreateTokenPrivilege	1640	key.exe
Token: SeBackupPrivilege	1640	key.exe
Token: SeRestorePrivilege	1640	key.exe
Token: SeIncreaseQuotaPrivilege	1640	key.exe
Token: SeAssignPrimaryTokenPrivilege	1640	key.exe
Token: SeImpersonatePrivilege	1640	key.exe
Token: SeTcbPrivilege	1640	key.exe
Token: SeChangeNotifyPrivilege	1640	key.exe
Token: SeCreateTokenPrivilege	1640	key.exe
Token: SeBackupPrivilege	1640	key.exe
Token: SeRestorePrivilege	1640	key.exe
Token: SeIncreaseQuotaPrivilege	1640	key.exe
Token: SeAssignPrimaryTokenPrivilege	1640	key.exe
Token: SeImpersonatePrivilege	1640	key.exe
Token: SeTcbPrivilege	1640	key.exe
Token: SeChangeNotifyPrivilege	1640	key.exe
Token: SeCreateTokenPrivilege	1640	key.exe
Token: SeBackupPrivilege	1640	key.exe
Token: SeRestorePrivilege	1640	key.exe
Token: SeIncreaseQuotaPrivilege	1640	key.exe
Token: SeAssignPrimaryTokenPrivilege	1640	key.exe
Token: SeDebugPrivilege	2064	taskmgr.exe
Token: 33	1280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1280	AUDIODG.EXE
Token: 33	1280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1280	AUDIODG.EXE
Token: SeDebugPrivilege	2496	firefox.exe
Token: SeDebugPrivilege	2496	firefox.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2496	firefox.exe
2496	firefox.exe
2496	firefox.exe
2496	firefox.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2064	taskmgr.exe
2496	firefox.exe
2496	firefox.exe
2496	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2792	1088	F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru.exe	29
PID 1088 wrote to memory of 2792	1088	F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru.exe	29
PID 1088 wrote to memory of 2792	1088	F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru.exe	29
PID 2792 wrote to memory of 2820	2792	cmd.exe	31
PID 2792 wrote to memory of 2820	2792	cmd.exe	31
PID 2792 wrote to memory of 2820	2792	cmd.exe	31
PID 2792 wrote to memory of 2820	2792	cmd.exe	31
PID 2792 wrote to memory of 2772	2792	cmd.exe	32
PID 2792 wrote to memory of 2772	2792	cmd.exe	32
PID 2792 wrote to memory of 2772	2792	cmd.exe	32
PID 2792 wrote to memory of 2772	2792	cmd.exe	32
PID 2792 wrote to memory of 2660	2792	cmd.exe	33
PID 2792 wrote to memory of 2660	2792	cmd.exe	33
PID 2792 wrote to memory of 2660	2792	cmd.exe	33
PID 2660 wrote to memory of 2784	2660	control.exe	34
PID 2660 wrote to memory of 2784	2660	control.exe	34
PID 2660 wrote to memory of 2784	2660	control.exe	34
PID 2784 wrote to memory of 2156	2784	rundll32.exe	35
PID 2784 wrote to memory of 2156	2784	rundll32.exe	35
PID 2784 wrote to memory of 2156	2784	rundll32.exe	35
PID 2784 wrote to memory of 2156	2784	rundll32.exe	35
PID 2784 wrote to memory of 2156	2784	rundll32.exe	35
PID 2784 wrote to memory of 2156	2784	rundll32.exe	35
PID 2784 wrote to memory of 2156	2784	rundll32.exe	35
PID 2820 wrote to memory of 1640	2820	keygen-pj.exe	36
PID 2820 wrote to memory of 1640	2820	keygen-pj.exe	36
PID 2820 wrote to memory of 1640	2820	keygen-pj.exe	36
PID 2820 wrote to memory of 1640	2820	keygen-pj.exe	36
PID 1640 wrote to memory of 2972	1640	key.exe	37
PID 1640 wrote to memory of 2972	1640	key.exe	37
PID 1640 wrote to memory of 2972	1640	key.exe	37
PID 1640 wrote to memory of 2972	1640	key.exe	37
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2528 wrote to memory of 2496	2528	firefox.exe	45
PID 2496 wrote to memory of 1728	2496	firefox.exe	46
PID 2496 wrote to memory of 1728	2496	firefox.exe	46
PID 2496 wrote to memory of 1728	2496	firefox.exe	46
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47
PID 2496 wrote to memory of 1300	2496	firefox.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

C:\Users\Admin\AppData\Local\Temp\F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru.exe
"C:\Users\Admin\AppData\Local\Temp\F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
    keygen-pj.exe -pAevKviq48c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_win_path
      PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259562325.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2772
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2156

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2544

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.0.269470704\133271193" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8769779e-7565-4f97-92e2-1afcb9f44f7d} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 1296 ecd9458 gpu
    3⤵
    PID:1728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.1.1598139852\885638108" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b307d93d-ae7f-414a-8595-30eb7dcd613c} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 1500 e72858 socket
    3⤵
    PID:1300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.2.236170514\1563885486" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed7fd4d0-5b89-4970-94de-12e2e1828ff6} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 2068 19285a58 tab
    3⤵
    PID:1508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.3.221080681\683034022" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2736 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5eee92-1981-4344-bf3d-8d12c0165e35} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 2756 1b38c858 tab
    3⤵
    PID:2708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.4.306215256\1797295702" -childID 3 -isForBrowser -prefsHandle 2996 -prefMapHandle 2984 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd83065-09b2-4830-a978-cb3bdd091169} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 3008 1bfca358 tab
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.5.1769240220\25369588" -childID 4 -isForBrowser -prefsHandle 3840 -prefMapHandle 3836 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bc5e0b6-36da-4008-ac00-a7c2fca134c5} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 3812 1e18f358 tab
    3⤵
    PID:2656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.6.1445476429\1102889090" -childID 5 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14bb929d-b759-44dd-ba03-d40889bb754f} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 4024 1e18f958 tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.7.674899517\1689336255" -childID 6 -isForBrowser -prefsHandle 4060 -prefMapHandle 4064 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a49d0b6-c8e8-4448-8e21-4b7006932889} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 4048 1e2cd958 tab
    3⤵
    PID:1608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.8.994766403\757222355" -childID 7 -isForBrowser -prefsHandle 3380 -prefMapHandle 3376 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1859bc29-561e-4156-87de-890702e65b26} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 4448 20b8db58 tab
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
330934efc09e4fdb85f322d0f427349b

SHA1
4a34e35fe869ca22cdafa0156a5ea5f42520d826

SHA256
01bd155af03fa87bdc11d863fa1634d9ac79dda336a48322a56acf5045a3fc86

SHA512
8e8781f4a5472dbde438bfbae5b92730b026003eacc345540c050ecbcc7e1ec64ff264d27d621f3500001dde46e0f8929dd3b97d62747d29f022fcba7537f769

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\259562325.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe

Filesize
363KB

MD5
c0f34f38475aa244c9c8696aeed709a5

SHA1
0194b56c80c4b5192873400fdc96ce7d8df682a2

SHA256
831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046

SHA512
15defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

Filesize
112KB

MD5
43eb47b71c9f1003adc2d0f108d2679c

SHA1
5965eb51d289dc79ab56cb995d47f371472d4846

SHA256
913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1

SHA512
7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl

Filesize
8.5MB

MD5
af9d46423a50401d1f10a947c64d5000

SHA1
d252e9e1c82351cf3ccf24e3ca70baeb108730d1

SHA256
3b238f449c962af6b3ab57f68dbacbf9d8c042c5552f6822b541385d689a504f

SHA512
4006b995877b8462e25bcd3e1b6fe9384b1605f24cd8d1e562c68f57caa762c68704f65dd9f55a4c415af96c420e540ba1ad5ff8d900bb7ab03db299c0364c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

Filesize
97B

MD5
b7da5b5251bfd8f57cbac943155601a9

SHA1
133751b2b7a68a92ad1e21417dd4d2b1d44cc2da

SHA256
023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee

SHA512
7e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
18aeea516e3a740be267a159893dd1ff

SHA1
903740672aa3b31f233f65fcd9048d3d025cd455

SHA256
3e34b9f7987ac869876908821fd27e3c3c8e1b370c11f324b2ee9fd7bd599501

SHA512
03bcb753e0f6004116ece6e284c03122f95438fe32fea33bf55891fbf9ffff627103531be78da309ab9ef576e8a4c26119a949d8fe76744f9cceb99d8297344a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\06ba2b4e-116c-42d9-bdb3-1c5e183268f6

Filesize
12KB

MD5
041a4c37ebb46389614c8c8da525c5c1

SHA1
94683b2ef960d5dd2ba640ea6452e2ef4c36a335

SHA256
0dadbf920a2d9cda9d339828d25c5585bae1fe158f56a7bac0a62eaa42f1f782

SHA512
25b347c970bdb01a78492356c5ab7c594cbacf64accab1b32914f962196ce70b1878a0c962e93fe49f5736d2c9a4df23268d9be3bb8c9ea5eefbfb158bade3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\43f8eb85-c5ef-45c6-9119-06a1ff0b2813

Filesize
745B

MD5
65c22a659b4264161b75453d80cdfd54

SHA1
ac2b0a2d12a2d6f13d79a6e046f70d7411d21775

SHA256
da2674ccab4edaf7a235b4428d09076a8b83afc38e50f2d259fc47b4c73882f0

SHA512
dc73be3dccc31fc1560c6a19b6ba15715e35b71e4770fc0c45d78eb3bbbfa22649182ddb96a4c074e62addc74222c534fa65ae80ae725611b519773ea9e8f976

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
9e4cea3201c0211c12c30f96af7ad525

SHA1
9f3166f8145ac99423578395b3a55139a540dcdb

SHA256
4ba7ce300d759881cbe12264597e4df14a16069da019452278a778fae0b70086

SHA512
bc88af6f0082d10ab763ea9c2029c454e774a5fca796c5b0111ac84dcb142cfd491b79190918cd7d997dc252f5f56952e842bef179dd87f51652f600030f861d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
f15def79d51a1a95903ffcf0929a9103

SHA1
3cdbd45214aab06c58d71165b389baef23bed97e

SHA256
d64c17df361256967c1760ffc79a021c219e56882562ece09ad93c732bdfdae3

SHA512
f8450e3d8cb75d8b17f1bc192255945bb978cb7dc851a58ae4b1a75bb223efacb074330cd0838db2e4303e51e1b90c7d538418b498e078584d3aa306420977d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs.js

Filesize
6KB

MD5
e4d800d7c5c64af04d58baa9d4a5c734

SHA1
05ac26708869aaefaa2ab494b665e62bfd18489a

SHA256
ef5c09bc650293de4bbf320f69b8f4b9327e05ac5bf6d854aff01c2ee6a79b37

SHA512
81171a96f7b482998b1a09a19e9f60e72a32af98431fbccdf3170e9137a9b9d3fb8fd650401d3914cf9453612a5ef863cfd28a5e8bff29a89d2f00de2e27b71e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5712edb3bca613c95094a70f23199423

SHA1
8b6a94b607054641715d0b4ca64ced46f746f0b8

SHA256
0a6b7658ca1c461086b49861513c2ebc8caab4ba62e0821cabb1d1b6044ec485

SHA512
971ab893188779da80831fa1fa1821c4881c4750d10cd3f61ff9710a1c005f6f1ac4f6237c66feceb9d5f0999c63bdccddd4aade6a8d67857e592c79a522d521

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
16d7d9bd89492297aa388bdcc946052c

SHA1
184d53d24cef9c58d19858633dcbc13e647eacba

SHA256
4dea44c29d157ce41240017c8390f268587609a5ae24d8b5d8facb49b376690c

SHA512
ba975a22875a0a6d1dbbfe5e7b9c12072f22a54e8ab70c0b3542ba61a37cc9005221fe8c7fec9dba82fbf82da4ac2ead106e3ba5bf88a8842618427cbd163b96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
cac8067d625cb2c0d85461aa21a512a9

SHA1
8ee7b1b84402da5be3ada0467516b0f2553e9f76

SHA256
2629c91107d86b49d4e191945c9d6d760f8431ab88db34e773cf6af01428ce07

SHA512
8d70e9cd90d2580b9e92e2131f966d04d3da7a9f1b4a5cc9d4354103f5242ffff7106a999dd1ddff9dbfda3f064d09c717cd172889f4eb58ba620673abdfa112

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Filesize
103KB

MD5
2fbf80a7ba32f036bb97a2d0d909283c

SHA1
ed00a832320f3806ef3ecacfb54356e55b8e713f

SHA256
aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee

SHA512
a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef

Download Submit
memory/2064-95-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2064-96-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2064-97-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2064-94-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2156-92-0x0000000002E50000-0x00000000030C4000-memory.dmp

Filesize
2.5MB

Download
memory/2156-74-0x0000000010000000-0x000000001088D000-memory.dmp

Filesize
8.6MB

Download
memory/2156-88-0x0000000002B80000-0x0000000002E46000-memory.dmp

Filesize
2.8MB

Download
memory/2156-90-0x0000000002E50000-0x00000000030C4000-memory.dmp

Filesize
2.5MB

Download
memory/2156-89-0x0000000002E50000-0x00000000030C4000-memory.dmp

Filesize
2.5MB

Download
memory/2156-93-0x0000000002E50000-0x00000000030C4000-memory.dmp

Filesize
2.5MB

Download
memory/2772-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download