Analysis Overview
SHA256
36734bbdc99849c42ec7ee00791c0d62847c0e90e570433711c014bae6b69079
Threat Level: Known bad
The file loader.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral
Umbral family
Downloads MZ/PE file
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies registry class
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 17:03
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 17:03
Reported
2024-07-04 17:06
Platform
win10-20240404-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\loader.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\loader.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\loader.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.0.1046318290\496168136" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {488f1b25-71ee-4490-9ac2-e3c11acd3ba7} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 1764 1c51cdd7458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.1.711458890\937251860" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e6a45b1-5237-49b0-b17c-cfb5a3504631} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2120 1c51c93e858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.2.2112167012\963008803" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb1f133-f050-403f-ba54-6db167904018} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2888 1c52109cb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.3.1797431857\955568705" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c5c0846-2aa6-47c6-bce3-0700e962694c} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3532 1c51c93ee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.4.1752315966\585360503" -childID 3 -isForBrowser -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fcd76bd-536a-49f1-bf7d-4b93daea129f} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4264 1c5230d0258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.5.1322618298\1919425634" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4988 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {899165bb-4efa-41ee-a96d-52d36057163e} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4996 1c50a930858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.6.1295047573\817540739" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f27f7c-626f-4206-af98-d0d9c9ee605c} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5144 1c521e5cf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.7.756028665\1240859595" -childID 6 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14e5bd68-495a-437d-bcf1-e2c5038b6bf4} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5340 1c5234cf858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.8.1853970031\154176432" -childID 7 -isForBrowser -prefsHandle 5568 -prefMapHandle 5564 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e4fc285-f3d5-4e4c-b3df-2f51bf8afdf4} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 5684 1c525320e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.9.1646820280\1671615300" -parentBuildID 20221007134813 -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a340faaf-5502-4527-aa6a-50384db4c678} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3956 1c525482e58 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.10.1804078007\1244921613" -childID 8 -isForBrowser -prefsHandle 4360 -prefMapHandle 4816 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c38ba282-d973-4198-8d38-439e176608cf} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2824 1c525e1ca58 tab
C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.200.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:49762 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 44.242.121.21:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 21.121.242.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:49768 | tcp | |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.111.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 142.250.200.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/4144-0-0x000001A6CDF30000-0x000001A6CDF76000-memory.dmp
memory/4144-1-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp
memory/4144-2-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/4144-4-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 7d5d031cf4f3385342dc49e63cb90356 |
| SHA1 | f1cf0111e35b4d3a9a9cebbd9662c4adcb331dc8 |
| SHA256 | 34626f564cc72bee9d72ac497aaabcb649e54206007dd8b349e59705a66fcf08 |
| SHA512 | ed129234597095962ae0f00fdb8918c99498b8bd29649e507bf6d01b7a05bfcd546691e9c611ca4e1aa4bb632fb2af53ba8667fb4fc2b27f7cf7607aa6eaf7ca |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\1eba927c-e643-48e3-a20f-875d4efb4963
| MD5 | 393939d0340942488ac7369fd29449e6 |
| SHA1 | 8c09a51376f797886a9d5e740905a8d460dafd22 |
| SHA256 | ce581377f5d6659f1fdcd86df4202045708da9853313148b9264dcb340e3adb2 |
| SHA512 | 35a09f168f0def3aeda361a227deb5eebc1000aee839fc02c3ff2f4ccd6b26f13885a2ec1c81dfd3ff706ecfbd6a551fd9df656bc2594f94f675c01d0fd05bc6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\334866b8-04f9-4a9c-9397-19c56797703b
| MD5 | 07068b28736d651a52c7c7935de30106 |
| SHA1 | 8f849941c7e65ca0a1c9a0c4162e0fc5a554a7a7 |
| SHA256 | 90f2e94b646e508a93a93a694487bea6e876af6d60ff3e3cd434bc50152b0b73 |
| SHA512 | 427b6a3db66855a64ab223e908c85757fdff6e76d73dba1ad3f12286112e9011142c3f38bddf1b5b612ad76b5e52805c2baf31bc247647a56ad17d911b7119d6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 1fdc13de64cfdb8ba3fcd71aad9d33d3 |
| SHA1 | b7649cfd66d751435fa56a4b4b20daace452c692 |
| SHA256 | fa890605b23aecfebe4300d159f10096cfaba982a942c8ce829617b3de36a783 |
| SHA512 | 3c9dc261a1f0a96d4433d60de03423d58f0bd63dbf5db48962372658103f16991f6da06c1670deea1e51efd2a15aae699d1d287ee377e0a457299a7dd9f691a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
| MD5 | 73dfeea07e5efa42897ee445fea29a87 |
| SHA1 | ba0a266e7c422938b0ac26dbb1b6029524177728 |
| SHA256 | 2bc0126f5a1a24d7e916ff8d905f99f5630d0e2398f520651b7d059ba2c8085e |
| SHA512 | 42d1e90c11ce407bc24880595b2c15e2bb022288414e38afa970b5fd030c379afc0dede769ba044ede1bc543799eb370a6d240dd34d08a6a71d0b4d735f63d04 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e2a5603c27820c173785e48e07cfe058 |
| SHA1 | 599bc588d16aef8a85406a87739d03067908c2d1 |
| SHA256 | 15a9977de2b3af821bc2ccc64343f95d1dca462ef2bb476db850b09bcd8ef582 |
| SHA512 | 3c16db19163ad9612cd53e504a9871558458b0738f394308bbf35bff03653c95b15aeac2b628232e4a61b6fbf196b557cc25e75a9bb7c5135862a39e8181cf3b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 7e9ab6ae3b835a5f1ede2e263fb76b76 |
| SHA1 | 7cc9247298f047436bde82d86b76aa4a8059031a |
| SHA256 | bdde0d31c4c61d4ca8d7e416a0e6f5be3565c740fdf3c5a8b859cd56ff60f952 |
| SHA512 | 5f3dfa5fdaf354bd6d184fc85b583ac9091eee9c3bad35959c23cf7778691841b1de87bc5757f79c8282fcf42ec46398a76b270cd853f71df079853241e23e1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | be691fe51c18e432d78741ff614abb4d |
| SHA1 | 882bf195a0db757e6c21113f4e3751908e0c4ec9 |
| SHA256 | 4b300a315de91eb27f727325e9c2281bda1f431e292bc3b215901da31e44bf89 |
| SHA512 | 6a5707974eef1424413255bc63ef67aa78e5963b7b752c517bc3f4260d2bfeffd590776f034bb0676dfdb32b08e2304b9ea31992810b61b8f04e5b4ec1d6339b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 9d48d11de91bac4addc74db133c940be |
| SHA1 | acd948ed53afc225235aff4315e2a925dd4472b8 |
| SHA256 | 7dc9d583216cf08c0e408a9f3b0316f629f153f2c9c9273496b92c18fb86ce39 |
| SHA512 | d289e1bbc0a93bf77a8a16edfac90b0da9cd061e1e1bd9988a697264fd9e1177eb533b7164304db1778b96d39d68c9b2bcc70117198c929bcf808f094b6120cb |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\26418
| MD5 | 547f4ac52ba64968946acbbe5eea725a |
| SHA1 | 13e17a99df3d08d1e1ff89cc95eb9effafe439af |
| SHA256 | c1023063e03b7d13e07b3c3a49ce88d973b61be250fb554e1f3f132a8b688639 |
| SHA512 | 6a36c9b93906eda7cd38ed2fed32ef6895b194e28e3b7344fb8b625d220dbfc127a1ddd71917d06c73e746289628d96a377d6f9ce7ae166df96c5c6f6ae772cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1a37eb7012dc9cab5d5fd61b97efba66 |
| SHA1 | 3fadcdc9b701d18d89eb1d1b2d3ed3376a4e84e4 |
| SHA256 | 0efbf4f0484c434245c6d8e589d60235dd6895a0a54fd8c275134c65301f9cd9 |
| SHA512 | 15c8ea3d74e8c800a56f2c577a472d4fb8299a5d7a590816d4afc87b998390c1948f72acb835b1735dc569e958e64bdbf9a0d83be2b18da3ddaf82d426482cbe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a1822454595bd938b5d852af81fc8b18 |
| SHA1 | 7a98d731f56ba7ab658d592bdfabefbe73bfce68 |
| SHA256 | 323103317e70f9e854d831519bd0681ba62d49453d4c557bc0c3ec257f31005b |
| SHA512 | 60cc59a96550bdcbb28c7de6e1682e6ec791d002e93dc8d15e33b6cb82efd5995f2ee5d473faba1dc958aeab6b42068c79c39fc788169035653c954e8746cc1b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f72b612f7d0c9d7935c376960c9d4d20 |
| SHA1 | 669f33d1a9b0734df4c74f9646027d3713ddf766 |
| SHA256 | 48d3c9d6a917c19057d59deba2943d685e00b3a698760aad7910ea3eeb038202 |
| SHA512 | 48dec1aba44c411db2a89060ff4437eefeda4f18aadaf906e67dacc6ae718d806fb6f36c02c9ff88560b2938ab0d845100fe04c43c2593bb6573db925226adc7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\92B7809CBCCEC32F8AA6B585CB23104E10E55D53
| MD5 | 634d36df4895097be1dfd7cdd5595815 |
| SHA1 | fa022af6dd72068d7625ae965a64b66dd3aa296c |
| SHA256 | eda803902ce8a4d15e6dfe7c5ff84c3234501be910155bc4f21da85f0adb4760 |
| SHA512 | 1152a72339f8d0b906ed5efd8853f13a5c6d3f7a3ebe37b1872cb4620cde4da3ac8f6a9020b1f86333c9fc06bb3fa2a7a4f4a1a6166811c48bedeae4c0563ce1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\D911690572EFF44BA9B379A93A81EA65D99204DB
| MD5 | 88df6e714c960143b4f0ea221caaabbd |
| SHA1 | 35002f9021adb5476240f9d45ead3f32331f6e45 |
| SHA256 | 44f7eb6be5b0ead2309fb8969af3f6b513c462d139ab12e4d2765d910ac6600f |
| SHA512 | dfe071a7b939a65b4dbd1371d1570d8b5e66ead164c0f63c54aa704d29fc5724d3626747489b745c5e35a209075ef2d1f0dcc6549c88ff9156336deca495f3d4 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\462E5FADCC82A134C10A828C114C5F747964CF3D
| MD5 | df9ee898f2de1649381b7a0748b46b9c |
| SHA1 | d5044122b74bdc4352fc6a6f94bb5b2927430a4e |
| SHA256 | 3e2c1ba41c6e6b553e08c131e8e46c9fbdd2248b9b45d6cf77722ee0522dd980 |
| SHA512 | 07c0528c63a1b899878612ce4acec473d6a53911994e9107b029dc33ae5e24b7147eb9d9e90cfcade7669ec6f3a242df8aeee7e01876504788a1167d6ac50501 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\4D3373C611DE638ED6CA0F7AB92AED0C904A3795
| MD5 | ad64f83c2e8c8e9f9f0ae18e7506b65d |
| SHA1 | 5890ca757d0f0f3ed04b1f6c0df9bd766078e463 |
| SHA256 | 6af0aae847d7ae2655b8d6a8350fa0931d62659ef29e8f1a480944714d0e4c23 |
| SHA512 | a93e3e97186f89346215e3ebe11dfa4e5c3533799887b48553ebd73ce04b7773375606690d3155cf4f73704a7a3f50c01da53e91f60e02c57761b4e2935cddb0 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\21235C60DB68B39BE5D5AAFD7CFDA8EB241CAC6D
| MD5 | 842da0a8eb3d263bd9c02f8be95bf5f8 |
| SHA1 | 826bbdea9cb223986889451fdb126f53c5afbd5b |
| SHA256 | 809298c349f7f8495fbd92e5107ec01e50ef4a709115eb9125928be85795166c |
| SHA512 | 7e5f7971a60d78776b04a7802b8b832441df1e422bdf58727bcffe9eb4b80b4c714a401a982872b3437315ae55512946a3df33cddac5b35ba69a85f331a0f324 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\88D2DD145122466A8C6F39785D5A392BF5E86A0D
| MD5 | b3cfa3e9f6886041f0fe9c4768660bc1 |
| SHA1 | e5d443b3bf2cf8618bd30df7a2ff6e21d9d3312d |
| SHA256 | a89d2ec0bcb1aaa8758fba7a791e321fa56950f268feac7ac460082c5f808937 |
| SHA512 | 0abc1197618185d0d125b607b42611a11b61236129ac2355c8142e1008d37375620c30dcc349e9b07b85e6d82ff129bd0b2a6714d1dadd0d949678c5527f3181 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\97B10BC4D7847C8AE893CE9BC8685F05EBFA5B05
| MD5 | 41946cb540e48c773f798db0d8a6575c |
| SHA1 | 8efd860307a66a56208a83c6456a58956e6e5965 |
| SHA256 | d267fa9c09166140e980da544a8654bf1882e86acc4241387b02339fd65ee154 |
| SHA512 | 7b10f6b58eca1038a2a239ab796d31118c1311cce5d3dccba09fce9f3b7919531436593b0ca05354febf59d167f3cbb4e6fa8b4a7b35d980cfc4f53acae0bb0c |
C:\Users\Admin\Downloads\loader.Mg9RXoYB.exe.part
| MD5 | bbd15b1037845c0863e29357fb48ee29 |
| SHA1 | 426a7448d37e1921d8112972d8541369f0a725af |
| SHA256 | 594999a215642b9336e990b192793b96f985659fcd89341ced176c6d44a30a07 |
| SHA512 | a8e6bb760c10f35d62092fdabeed3d2795b5c44ece441430fe82bf1dfb695e6a027de061f8cc4613226dd33b3a406cf447bf2cc2ffae381689d6d3d46e30d873 |
C:\Users\Admin\Downloads\loader.exe
| MD5 | ce298bde4b5d1231f937e3c434275dc0 |
| SHA1 | 8dc7b79f0c7abd7c11fdddd6d102bcf5cf11e4f7 |
| SHA256 | 36734bbdc99849c42ec7ee00791c0d62847c0e90e570433711c014bae6b69079 |
| SHA512 | 79ea7640fb1abc8ad4d36a28cbb342fc0be563f9fc5fc9ad07dd5ca3cde24f5d5c4d1d2c09f0bfb6e8206cef6bff9ebfd626d020527ad8e7754afc1fc2f0ea1a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log
| MD5 | 53ea0a2251276ba7ae39b07e6116d841 |
| SHA1 | 5f591af152d71b2f04dfc3353a1c96fd4153117d |
| SHA256 | 3f7b0412c182cbdefb3eedafe30233d209d734b1087234ac15409636006b3302 |
| SHA512 | cf63abfe61389f241755eef4b8ed0f41701568b79d1263e885f8989ce3eca6bf9f8d5805b4cc7304aaaa5c7e14122b0d15bd9948e47108107bbb7219fd498306 |
memory/2944-611-0x00007FFD59D13000-0x00007FFD59D14000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ad095954894b6fa8355358d6b48cf0a8 |
| SHA1 | aa108dfc3868179b901380b8ef4bf752f6764692 |
| SHA256 | 50cb6f2c08b28b868cb6a99425e3be8dc2d107d5f08acc441a0649367cff4750 |
| SHA512 | 2683e1c47b322809413a2a6d8167de2d9d349fe437971a004de0ef6620c3f3e553c8f1745706f7302a4591a5b1aff9659499fed1c75ce9cebb01a2f36ba3e1eb |
memory/2944-621-0x00007FFD59D10000-0x00007FFD5A6FC000-memory.dmp
memory/2944-622-0x00007FFD59D10000-0x00007FFD5A6FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 43b4d64d8316dfdf9905dcac410104ee |
| SHA1 | 2090b1b779a116a23a2cdcc1a9bfcef5d6b9c933 |
| SHA256 | 1a4d2d348083008a4db689b791e7de5e5e9f5d6d8dc22d31114c0b64149c8038 |
| SHA512 | 86351e9e54f1cacd3f2db73ac35f3052b1277c672b388dc5d084b2db84e24d3881d852f87ffb2c5d0cd87069f01ecbb165d6adc2a77801d1200b18db01aa5e3e |