Malware Analysis Report

2025-05-28 16:41

Sample ID 230707-bybzfsga5w
Target https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe
Tags
agilenet
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator

Modifies registry class

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-07 01:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-07 01:32

Reported

2023-07-07 01:34

Platform

win10v2004-20230703-en

Max time kernel

31s

Max time network

121s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe

Signatures

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\CheatoSpoofer (1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 532 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 3444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 3444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.0.1153886493\262154526" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {217cdb80-25f9-4c37-96fc-355ba446a8e4} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1900 2aa7e1f4558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.1.2023154776\617311605" -parentBuildID 20221007134813 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a41f6a0a-e23e-467b-9bbf-63e2cc97e0a1} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 2324 2aa7dfef858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.2.651907342\1235248079" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8890e3a8-39fd-4d41-9136-9e99d70d4ffe} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3208 2aa0515b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.3.1305506267\1852570394" -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a85d04ab-d598-41ab-8927-0b1ef7319a9c} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3744 2aa74062b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.5.645304820\1776970994" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 5084 -prefsLen 26792 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fbe81d9-5dfc-4a6e-9977-854082062f38} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 5112 2aa07cfa458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.6.1714641526\1000667650" -childID 5 -isForBrowser -prefsHandle 5384 -prefMapHandle 5380 -prefsLen 26792 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e350b9-87af-4a1e-950b-8c948a8015f1} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 5392 2aa07cfc858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.4.139759688\1050545560" -childID 3 -isForBrowser -prefsHandle 4988 -prefMapHandle 4944 -prefsLen 26792 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {220cfade-72b4-4320-804f-53ccc1781a30} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 4984 2aa06fce658 tab

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:60456 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 cdn-149.anonfiles.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
SE 195.96.151.42:443 cdn-149.anonfiles.com tcp
US 44.232.91.10:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 cdn-149.anonfiles.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 cdn-149.anonfiles.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 42.151.96.195.in-addr.arpa udp
US 8.8.8.8:53 10.91.232.44.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
N/A 127.0.0.1:60462 tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.105:443 assets.msn.com tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 sentry.chea.to udp
US 104.26.8.75:443 sentry.chea.to tcp
US 8.8.8.8:53 75.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 dev.virtualearth.net udp
IE 52.156.193.145:443 dev.virtualearth.net tcp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 maps.googleapis.com udp
NL 142.251.36.42:443 maps.googleapis.com tcp
US 8.8.8.8:53 145.193.156.52.in-addr.arpa udp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 maps.googleapis.com udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 104.26.8.75:443 sentry.chea.to tcp
US 8.8.8.8:53 dev.virtualearth.net udp
IE 52.156.193.145:443 dev.virtualearth.net tcp
NL 142.251.36.42:443 maps.googleapis.com tcp

Files

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\activity-stream.discovery_stream.json.tmp

MD5 31b7c3fb6361d88e435e376adda1817a
SHA1 556ce5c0743c217b419b07991fb548b4e954fda6
SHA256 08643c35769145def3d9103fb2353006a219eaa38b5645e486afd75ba276add2
SHA512 41b707819a4c70bdab8ccd44923307db6c009dc050f45334171af119ed69d757cb0df0290dec78bb116e9e7827ae111b25d3a43429a19f7975ce163377b51fe5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5873cb1a1ce86b2417b6bc3fa82f9ee7
SHA1 7a65a2c8e866deba6434685b330e9c569d7eea62
SHA256 560cad195cffbb88fb19fdc7f40568eb6e7399400247c7822b6b939eec0332b5
SHA512 a287bbae6167daab2698a0d0791eca92e8b289ec6ef95f7c2d6dae7565a179db8b8ad4fd0f1ad29eebc79910e8658aeea1e1bc1ba0b8339a2c24c567a6c83ca9

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

MD5 7a8f3ff6b456e153499088a103d51145
SHA1 30f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA256 93d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512 e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

MD5 7a8f3ff6b456e153499088a103d51145
SHA1 30f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA256 93d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512 e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

MD5 7a8f3ff6b456e153499088a103d51145
SHA1 30f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA256 93d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512 e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0

memory/1936-224-0x00007FF430310000-0x00007FF4306E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs-1.js

MD5 55569f0b3622a2080c20c49aca1c4b50
SHA1 f7e5d8361a4903bde0cb98299a8e83eee1d6c2a1
SHA256 e62fbab5e0ff02b0e881bfd57edfa76ec58fab8593dcec81b78a66e633adeeab
SHA512 ba49428ffbc582092296bbff9ac426e1460bd5a1d1f3472c99c470faecf6c1acd6299383759c0df5b5d9bc49ab9afe057884370049f0b1efb5beb29cd277a7a6

memory/1936-234-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-235-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-236-0x00007FFC48A20000-0x00007FFC48A30000-memory.dmp

memory/1936-237-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-238-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-239-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-240-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-241-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-242-0x00007FF430310000-0x00007FF4306E1000-memory.dmp

memory/1936-243-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-244-0x000002CFBA060000-0x000002CFBA07A000-memory.dmp

memory/1936-245-0x000002CFBA060000-0x000002CFBA07A000-memory.dmp

memory/1936-246-0x000002CFBA060000-0x000002CFBA07A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\5B2255609A942D3203015BC01089042A\64\user64.dll

MD5 c204468635ab30602dea443c445e1821
SHA1 c1fa917a4604f956ef15bb53655d368c6b19d042
SHA256 7bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512 d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b

memory/1936-252-0x000002CFBB090000-0x000002CFBB098000-memory.dmp

memory/1936-253-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-255-0x000002CFD3DB0000-0x000002CFD3DB8000-memory.dmp

memory/1936-256-0x000002CFD3F00000-0x000002CFD3F1A000-memory.dmp

memory/1936-257-0x000002CFD3F50000-0x000002CFD3F72000-memory.dmp

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

MD5 7a8f3ff6b456e153499088a103d51145
SHA1 30f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA256 93d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512 e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0

memory/1936-258-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/4784-260-0x00007FF4E63D0000-0x00007FF4E67A1000-memory.dmp

memory/1936-261-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/4784-262-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/4784-263-0x00007FF4E63D0000-0x00007FF4E67A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qr3zx4hz.5eu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

MD5 7a8f3ff6b456e153499088a103d51145
SHA1 30f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA256 93d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512 e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0

memory/1936-279-0x000002CFBA060000-0x000002CFBA07A000-memory.dmp

memory/1936-278-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-280-0x000002CFBA060000-0x000002CFBA07A000-memory.dmp

memory/1936-281-0x000002CFBA060000-0x000002CFBA07A000-memory.dmp

memory/1936-282-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/4076-283-0x00007FF4BB290000-0x00007FF4BB661000-memory.dmp

memory/4076-288-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/4076-298-0x00007FF4BB290000-0x00007FF4BB661000-memory.dmp

memory/1936-295-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-300-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-299-0x000002CFD4B10000-0x000002CFD4C25000-memory.dmp

memory/1936-302-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-303-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-304-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-305-0x000002CFD3C60000-0x000002CFD3C70000-memory.dmp

memory/1936-306-0x000002CFD7CD0000-0x000002CFD7DD0000-memory.dmp

memory/1936-307-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/1936-308-0x000002CFD4B10000-0x000002CFD4C25000-memory.dmp

memory/1936-309-0x000002CFD82F0000-0x000002CFD82F1000-memory.dmp

memory/1936-310-0x000002CFD7CD0000-0x000002CFD7DD0000-memory.dmp

memory/1936-312-0x000002CFD4B10000-0x000002CFD4C25000-memory.dmp

memory/1936-311-0x0000000000020000-0x0000000004AB8000-memory.dmp

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

MD5 0692448466594d10f84490009e73a706
SHA1 6bfe4505000415101d0b18493e838a5d49c71c12
SHA256 a798a83c8ae0be8ab97bf0d8b2506e601e097e0000da7d0c5ef2a37fbeeb3f59
SHA512 71b30e432db9a3ce23c9dc271612f3a4c7ea979da2ea33590eb14e5ce4c3aa33d12950b53ea0f3a4bbe4e88b7001ca2c89fb4834f7b77899e37c2dddec2a92e6

memory/3192-315-0x00007FF4E7DB0000-0x00007FF4E8181000-memory.dmp

C:\Users\Admin\Downloads\CheatoSpoofer (1).exe

MD5 5bc93051f48078c9907df4b93acaf02b
SHA1 e27737a3f96c400d7f36eeb6fa4a6a4db5d7d1ca
SHA256 300d54dd518702822828f3b026c24cf02d5c40ba7901288737f38a4b1f434701
SHA512 7950900af78ba782ad7319e8c9e1129c9d7009b051386bdbdd52e7d506cf15a8d886102383321376ea2d9100ccad7f52040e163e292a1577a4bb7915ca48feea

memory/4040-317-0x00007FF46BD90000-0x00007FF46C161000-memory.dmp

memory/3192-318-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/3192-319-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/4040-321-0x00007FF46BD90000-0x00007FF46C161000-memory.dmp

memory/4040-320-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/3192-322-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/3192-323-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/3192-324-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/3192-325-0x00007FF4E7DB0000-0x00007FF4E8181000-memory.dmp

memory/3192-326-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/3192-328-0x0000000000020000-0x0000000004AB8000-memory.dmp

memory/3192-330-0x00000234EDE30000-0x00000234EDE4A000-memory.dmp

memory/3192-331-0x00000234EDE30000-0x00000234EDE4A000-memory.dmp

memory/3192-332-0x00000234EDE30000-0x00000234EDE4A000-memory.dmp

memory/3192-329-0x00000234EFAB0000-0x00000234EFAC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\5B2255609A942D3203015BC01089042A\64\user64.dll

MD5 c204468635ab30602dea443c445e1821
SHA1 c1fa917a4604f956ef15bb53655d368c6b19d042
SHA256 7bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512 d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b

C:\Users\Admin\AppData\Local\Temp\Costura\5B2255609A942D3203015BC01089042A\64\user64.dll

MD5 c204468635ab30602dea443c445e1821
SHA1 c1fa917a4604f956ef15bb53655d368c6b19d042
SHA256 7bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512 d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b

C:\Users\Admin\AppData\Local\Sentry\9588CF3ABD7EF58A0A76612B90AB4AC3D3B45E66\.installation

MD5 29845d59cd3662e6c326388537faa1b6
SHA1 8de70e64a6d92e675ac02fc2b1821bd8b0bee293
SHA256 f9fdd4b9d2cd039da33f86197714c8367fb7c3ed8c4703bd54d9249d45cf0cfb
SHA512 a9ba7076a906f8d4a9d90b6ba0c45e58f63f4834dbccc023a0b31a46a99c5551a857e8c1fd95dcf0c3c2c6147cd596083f782eb71b5abc49c645546e8bb98d33

memory/3192-336-0x00000234EFAB0000-0x00000234EFAC0000-memory.dmp