Malware Analysis Report

2024-11-30 04:45

Sample ID 240223-fc2efabf89
Target https://download2351.mediafire.com/sm24pq2ja12gIkr6ANd8hBZBtzNvbL86ofmt2oH2-Bca2Feuo9B9ty1_sfgZfevMA1tlE5DrWc1TLEWTIT4ghzJoNjJO3vIASD0VQxrX7iOjjrAveXppvuFUucQHB2mrHV6vE1_NlpqF1tcHIJW6ezMSRaYF2bp3xnk-iYG0fez5/wl9moebaudqauqv/ROBLOX+Cheat.zip
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://download2351.mediafire.com/sm24pq2ja12gIkr6ANd8hBZBtzNvbL86ofmt2oH2-Bca2Feuo9B9ty1_sfgZfevMA1tlE5DrWc1TLEWTIT4ghzJoNjJO3vIASD0VQxrX7iOjjrAveXppvuFUucQHB2mrHV6vE1_NlpqF1tcHIJW6ezMSRaYF2bp3xnk-iYG0fez5/wl9moebaudqauqv/ROBLOX+Cheat.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Executes dropped EXE

Suspicious use of SetThreadContext

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks processor information in registry

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 04:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 04:44

Reported

2024-02-23 04:47

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://download2351.mediafire.com/sm24pq2ja12gIkr6ANd8hBZBtzNvbL86ofmt2oH2-Bca2Feuo9B9ty1_sfgZfevMA1tlE5DrWc1TLEWTIT4ghzJoNjJO3vIASD0VQxrX7iOjjrAveXppvuFUucQHB2mrHV6vE1_NlpqF1tcHIJW6ezMSRaYF2bp3xnk-iYG0fez5/wl9moebaudqauqv/ROBLOX+Cheat.zip"

Signatures

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4424 set thread context of 4708 N/A C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\ROBLOX Cheat.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4168 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4956 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4956 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 4956 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://download2351.mediafire.com/sm24pq2ja12gIkr6ANd8hBZBtzNvbL86ofmt2oH2-Bca2Feuo9B9ty1_sfgZfevMA1tlE5DrWc1TLEWTIT4ghzJoNjJO3vIASD0VQxrX7iOjjrAveXppvuFUucQHB2mrHV6vE1_NlpqF1tcHIJW6ezMSRaYF2bp3xnk-iYG0fez5/wl9moebaudqauqv/ROBLOX+Cheat.zip"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://download2351.mediafire.com/sm24pq2ja12gIkr6ANd8hBZBtzNvbL86ofmt2oH2-Bca2Feuo9B9ty1_sfgZfevMA1tlE5DrWc1TLEWTIT4ghzJoNjJO3vIASD0VQxrX7iOjjrAveXppvuFUucQHB2mrHV6vE1_NlpqF1tcHIJW6ezMSRaYF2bp3xnk-iYG0fez5/wl9moebaudqauqv/ROBLOX+Cheat.zip

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.0.1094134459\279263198" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7efb5d8-d857-4286-bf8f-2db5226656a3} 960 "\\.\pipe\gecko-crash-server-pipe.960" 1996 18f7f2dda58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.1.188145731\1146697741" -parentBuildID 20221007134813 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c11c48df-56ed-4683-9797-af6187f959fc} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2420 18f7f1e8258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.2.1473418434\1855484653" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efc82ba0-aa55-46b5-b4ab-f558b4f57b85} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3132 18f05aafb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.3.273332992\1374277940" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f6854d-2986-4cc7-a1d6-81f50298ea03} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3660 18f06f78d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.4.1729973117\1922866255" -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 5140 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d93784a-6ea0-4d41-8199-ef0894ca2553} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5128 18f08c14858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.5.1339338862\722464311" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5276 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8e784bb-c562-4671-a3d2-0522869fc6b8} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5316 18f08cce258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.6.466250532\542671710" -childID 5 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c18f0d7d-28ea-47d6-9699-55607fc8d8cd} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5484 18f08ccee58 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ROBLOX Cheat\" -spe -an -ai#7zMap2388:86:7zEvent19896

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ROBLOX Cheat\manual\Manual.txt

C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe

"C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 download2351.mediafire.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 199.91.155.92:443 download2351.mediafire.com tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 download2351.mediafire.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:49867 tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 download2351.mediafire.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.227.167.82:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 92.155.91.199.in-addr.arpa udp
US 8.8.8.8:53 82.167.227.44.in-addr.arpa udp
N/A 127.0.0.1:49873 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 chocolatedepressofw.fun udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 prescriptionstorageag.fun udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\datareporting\glean\pending_pings\7ff03738-46a6-4c50-97b1-d566bbd8fdd0

MD5 96a826c7a37d1c805900f5c0edb841d4
SHA1 936df9eb22a7cb0a8f2fa64e01ff550b99afc11f
SHA256 adab9da93fda3ce02ba30c8e141b17909fb37482b91d2c9899730478ee6dbb7f
SHA512 cf8ac791c9b14451bff11a3091c653dad4c6ac74de13c7fc3a7adb6eea3cedb3d9d73b8c85825f3ab84714b615ef2ecf735ca7fd51621a6753eb2b5a6f6e7a8a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\datareporting\glean\pending_pings\3b5460d6-c3d4-4e74-9678-4587d26b1682

MD5 c81d0f730fa3b379e5db16cdb147d3f0
SHA1 139cee84f7faaed4611c4aea90ca41b8d5508d86
SHA256 9edad603f00585c8b84e8d217a16971f12065b147aa19aaa699ff1674f379902
SHA512 9f7a7582efd969982101fc55ef0162f8f74d9ebb0921bc8be6937aeab9abde344a502f7412c3f8bd0231400f31d7f0e31bb550c50f2f0ab692882e2828f9df77

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\datareporting\glean\db\data.safe.bin

MD5 8f5351367936944707eb93afb1498471
SHA1 247ef80bbdc6332a87109edcecb961bcc75e7880
SHA256 d0263d603e671cb0b48ddcd2860df4c02f283db5081365c3a438bce661aeb5be
SHA512 2efda8376b104fd265a7c0dd736bb0870c058f0bcd3d0ddb6a52603db0dade5d8a75e01e1645d7ec05d82ad6ea8b8e3a480c53be212c73a16c7fa304e5b0c390

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\prefs.js

MD5 d13295402de74517e588766063385eb9
SHA1 6179f2d0b67c544703111181191806a36a442d40
SHA256 0077d9d2507b8317ce7646108e982f9623cf1fe1559c05ba5ab9ce58a506c9e3
SHA512 e58e93cdff8e2a253252f0fb54f6a237dd9b7b94f6a58e7bf86ff822f6c6b3bafc2704ec55272f57b5faefe7d8c79012ed49993d3cda8e343cd7367aabb596a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\prefs-1.js

MD5 bec5f1b0de8fea43e8b278a6f97a3557
SHA1 67ff76e867f636b97ad219f18fe6c0d5677cb8a0
SHA256 9b5648f87fc376bcc380c26fe4c38797dbae532d4b12d50a8ad9e712100c23bb
SHA512 f22c4c093613b8aaa34d9d29cd67180919edad5adc14ccfca631057795dc0b50ac4d8c28b28f1a017bb1762519f69d3e9433bb63cfeb44af2da7d0a23016effd

C:\Users\Admin\Downloads\ROBLOX Cheat.-1-q1eyR.zip.part

MD5 44bf0cd02308cfa558811d7d3964e32b
SHA1 80e8c13a44c1378b831b4f5e02898abf8e238657
SHA256 8ff3a941aeea0e1ed01e5e090848bfa2f5c2ac573abe1673538f02839793e121
SHA512 9dd3aa74f5da3c1ae63fb6d6d63de0636a4e069b93cbd35d86ed011476bd585d1d4d03d64d9d27842e32e9af68abdc5a6a1c55a20c6d3460dfd870328cb0187b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\sessionstore-backups\recovery.jsonlz4

MD5 69d3890a489ad5136a4d09e83c512237
SHA1 d375584c7192f3a0e626297ed774dac991820bb7
SHA256 3defcd6e5f5a3b0fcfa2eef42fc3d89c2dfef56c5b1ee8971b9ea1f9e22d506d
SHA512 deb0f0a646b931ad89b42b3c8858f9f603294b636915f28568d0f72faedc387bcdd891ae99122b381a7820ba0cfe408a9c728a1fb6bad84dd84d09a053b510cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\sessionstore.jsonlz4

MD5 bef90bff935b5f3f9c482481ebd4632c
SHA1 caea9fe769df9311ec8130bd6b03535559d01293
SHA256 e94fb1d5c871425a62dfdde354ebf3a4d8a108a594e9ebbead13197ae2eaf064
SHA512 d8dc57aa490f4c713d6f6101ee16fd94af53f46d5c156d06f48dd1ab9ec508b1be1b37d45081dcdf5d6c35c1bf110ee7b685a019f84a1cbea8767c61f187a993

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\prefs-1.js

MD5 a12249d0187afac7f9576aa933b8fab2
SHA1 1a546030070896691fd0e0aba722841ddd14ca85
SHA256 51f3be69c46ff9475a99ab5de4ad32d1d2416572ec75b6d31bce411fdf195eff
SHA512 65267dcff3ac49e29792e0062aadff18fe6c6b638b34615e02b085a9742b6f562f6404465fbb67943dfba9c15c584ca729aed25757b876ea29e8af68452195a6

C:\Users\Admin\Downloads\ROBLOX Cheat\manual\Manual.txt

MD5 e0d221f43d38a87a7f043c68dbf490e7
SHA1 104939bb7687ba0571678857f74f0c92f9d2ddb1
SHA256 e5288bc20d7e1e28297471e3f6088557964870730072d206fd02e5e40bde6309
SHA512 cb327549ca65ddace9bca7ed84ace048772cecb8e400699011b6ede0de23d0196230db93122f7bd92adcd54e0a18cd2efe89902eb82e8513f0398a8867f30aa2

C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe

MD5 d54a8b90227a487bc800a3eb7c1352f0
SHA1 039d57519a03de5dc5fdb53afa948f49a59988b3
SHA256 becba2eb6f7ad1976f91cc183107ed7d45e264a861a74e90102314cbbd352928
SHA512 6b0561ca4446ed7cce21f6e6c531ff2cd992cfa2cdd9adb7e4546f4390cefdd5fa09a4cacb65b4b3499a29ebb5d133df4c79e853b3bf383b2059fdde4327e89b

memory/4424-251-0x0000000004A90000-0x0000000004AE0000-memory.dmp

memory/4424-252-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/4424-253-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/4424-254-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/4424-255-0x0000000004C20000-0x00000000051C4000-memory.dmp

memory/4424-256-0x0000000004B60000-0x0000000004BAE000-memory.dmp

memory/4708-259-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4708-262-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4424-264-0x0000000002650000-0x0000000004650000-memory.dmp

memory/4708-265-0x0000000000790000-0x0000000000791000-memory.dmp

memory/4424-267-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/4708-266-0x0000000000790000-0x0000000000791000-memory.dmp

memory/4708-268-0x0000000000790000-0x0000000000791000-memory.dmp

memory/4708-269-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1896-270-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-271-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-272-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-276-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-277-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-279-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-278-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-280-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-281-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp

memory/1896-282-0x00000213FE6C0000-0x00000213FE6C1000-memory.dmp