Analysis Overview
SHA256
87513a658c88f4b7c53e64a0ecb859b5a0edcc64d8ada5475971517a088b8fd1
Threat Level: Known bad
The file #!SetUp_58392--!PassW0rdz#$$.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Amadey
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
AutoIT Executable
Suspicious use of SetThreadContext
Loads dropped DLL
Drops file in Windows directory
Executes dropped EXE
Program crash
Unsigned PE
Command and Scripting Interpreter: PowerShell
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks processor information in registry
Checks SCSI registry key(s)
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 15:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 15:27
Reported
2024-07-09 15:32
Platform
win10-20240404-en
Max time kernel
241s
Max time network
246s
Command Line
Signatures
Amadey
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1360 set thread context of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1376 set thread context of 504 | N/A | C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe | C:\Windows\SysWOW64\comp.exe |
| PID 3824 set thread context of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe | C:\Windows\SysWOW64\comp.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\Tasks\NVIDIA Container Compatibility.job | C:\Windows\SysWOW64\comp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\SearchIndexer.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\comp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\comp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe
"C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe"
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe
"C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1432
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.0.157132020\1869602521" -parentBuildID 20221007134813 -prefsHandle 1612 -prefMapHandle 1600 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83e68a33-d809-467d-ad86-bcc4aa1b1ca7} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 1792 1f2910d6158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.1.1159659544\1259096148" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee6bd060-0997-40e9-9b73-db6ef025d57a} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2164 1f290ff9258 socket
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.2.2089654527\206016340" -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 2896 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4da42e23-db32-4771-ab59-721d4a4078d6} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2752 1f29539d558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.3.1947643720\560642858" -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3404 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5cb48d0-60d0-40be-87d8-8c6b68683d24} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 3448 1f29620be58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.4.106441376\315703736" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4092 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7240682-a51b-4822-8e12-7f379136d1cf} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4056 1f296ffdf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.5.115247438\1268786981" -childID 4 -isForBrowser -prefsHandle 2576 -prefMapHandle 4572 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1812a53b-6d8c-4673-a019-4b96fc6f3380} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2572 1f292933958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.6.65631505\594666068" -childID 5 -isForBrowser -prefsHandle 1724 -prefMapHandle 5124 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2d26fa6-d996-4e90-bfd0-02a016fab146} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5048 1f297980c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.7.745633111\889830403" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0f5e78-414d-482f-bb48-1c1e83d26647} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5304 1f297f09258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.8.2130528380\1442578095" -childID 7 -isForBrowser -prefsHandle 3564 -prefMapHandle 3136 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {814be0ed-0d1a-45bd-be01-9176a69301bc} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 3572 1f298cddb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.9.116920842\2144914942" -childID 8 -isForBrowser -prefsHandle 4424 -prefMapHandle 4440 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfcfb7e7-8905-4e91-b9c5-3d4a77375d55} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4420 1f2924a5e58 tab
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.10.2130560860\759106258" -childID 9 -isForBrowser -prefsHandle 5856 -prefMapHandle 5892 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ae1509e-b129-4044-b734-ba8ae00494db} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4492 1f293928158 tab
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.11.173221863\974064266" -childID 10 -isForBrowser -prefsHandle 6024 -prefMapHandle 6084 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {696b4536-43fb-484d-bb61-04ba142b1e29} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 6100 1f29a05b358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.12.671932055\646723907" -childID 11 -isForBrowser -prefsHandle 6304 -prefMapHandle 6352 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {648dbd1d-b86e-4657-97fe-acf0f21a695e} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 6128 1f29290a258 tab
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a0
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\" -spe -an -ai#7zMap13448:118:7zEvent2823
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\!ŞetUp_58392--#PaSꞨKḙy#$$.rar"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\rondure.flv"
C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe
"C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | 179.25.21.104.in-addr.arpa | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | foodupdates.shop | udp |
| US | 172.67.182.166:443 | foodupdates.shop | tcp |
| US | 8.8.8.8:53 | 166.182.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 44.238.192.228:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 228.192.238.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:49818 | tcp | |
| N/A | 127.0.0.1:49828 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | clck.ru | udp |
| RU | 213.180.204.221:80 | clck.ru | tcp |
| US | 8.8.8.8:53 | clck.ru | udp |
| RU | 213.180.204.221:80 | clck.ru | tcp |
| RU | 213.180.204.221:80 | clck.ru | tcp |
| US | 8.8.8.8:53 | clck.ru | udp |
| RU | 213.180.204.221:443 | clck.ru | tcp |
| RU | 213.180.204.221:443 | clck.ru | tcp |
| US | 8.8.8.8:53 | 221.204.180.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 8.8.8.8:53 | 217.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 87.250.251.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | 119.251.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| RU | 93.158.134.119:443 | mc.yandex.com | tcp |
| RU | 93.158.134.119:443 | mc.yandex.com | tcp |
| US | 8.8.8.8:53 | 119.134.158.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qr.yandex.ru | udp |
| US | 8.8.8.8:53 | qr.yandex.ru | udp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| US | 8.8.8.8:53 | qr.yandex.ru | udp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| US | 8.8.8.8:53 | 19.254.250.87.in-addr.arpa | udp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| RU | 87.250.254.19:443 | qr.yandex.ru | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloaddining2.com | udp |
| US | 8.8.8.8:53 | downloaddining.com | udp |
| US | 8.8.8.8:53 | downloaddining3.com | udp |
| RU | 45.140.19.240:80 | downloaddining.com | tcp |
| US | 104.21.53.53:80 | downloaddining2.com | tcp |
| US | 172.67.208.139:80 | downloaddining3.com | tcp |
| US | 8.8.8.8:53 | contur2fa.recipeupdates.rest | udp |
| US | 172.67.197.250:443 | contur2fa.recipeupdates.rest | tcp |
| US | 8.8.8.8:53 | 53.53.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.208.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.197.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.19.140.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sba.yandex.ru | udp |
| US | 8.8.8.8:53 | sba.yandex.net | udp |
| RU | 213.180.204.232:443 | sba.yandex.net | tcp |
| US | 8.8.8.8:53 | sba.yandex.net | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | 232.204.180.213.in-addr.arpa | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| US | 8.8.8.8:53 | 11.127.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.11:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.11:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | 11.125.203.66.in-addr.arpa | udp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | gfs270n142.userstorage.mega.co.nz | udp |
| LU | 89.44.168.208:443 | gfs270n142.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.208:443 | gfs270n142.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.208:443 | gfs270n142.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.208:443 | gfs270n142.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs270n142.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs270n142.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | 208.168.44.89.in-addr.arpa | udp |
| LU | 89.44.168.208:443 | gfs270n142.userstorage.mega.co.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 89.44.168.208:443 | gfs270n142.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/1360-0-0x00000000008E0000-0x000000000093E000-memory.dmp
memory/1360-1-0x00007FFAF40A0000-0x00007FFAF44DB000-memory.dmp
memory/1360-5-0x00007FFAF40B8000-0x00007FFAF40B9000-memory.dmp
memory/1360-6-0x00007FFAF40A0000-0x00007FFAF44DB000-memory.dmp
memory/1360-7-0x00007FFAF40A0000-0x00007FFAF44DB000-memory.dmp
memory/1360-9-0x00000000008E0000-0x000000000093E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bb7004d8
| MD5 | 456d8f9a601db1f12b105175394e6b2f |
| SHA1 | 78e5fc0f7f6e97b21b42396a8957f2d255fedb1b |
| SHA256 | b4523ffe7f29e13ae2563b9cb05c263e659ae888270cb71c2a368a1dfea605c9 |
| SHA512 | b55906dd6325522a04198e9c57f66da522b5cbd7e287ab7d7599686fda5edb8dd516ad366fe8d09298f43e55b2af1e565f6a8ef592069071e0fd03fe8d6cc982 |
memory/4280-11-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
memory/4280-13-0x000000007622E000-0x0000000076230000-memory.dmp
memory/4280-12-0x0000000076220000-0x000000007663A000-memory.dmp
memory/4280-14-0x0000000076220000-0x000000007663A000-memory.dmp
memory/648-21-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
memory/648-22-0x0000000000320000-0x0000000000373000-memory.dmp
memory/648-23-0x0000000000320000-0x0000000000373000-memory.dmp
memory/4280-24-0x000000007622E000-0x0000000076230000-memory.dmp
memory/4280-25-0x0000000076220000-0x000000007663A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe
| MD5 | 86561270851963e63c6d609caaff47a3 |
| SHA1 | 37dd064af1f150d951a5fbf30b0223ee9a54c082 |
| SHA256 | be94710b2a9cd12ea8e45c7a8c61db878d731f489098c356fcb928bab39fadc6 |
| SHA512 | 93e89ab997464a1573cb4c593e6f622da2ecf28b0971fadfa526a835e81fde5d5ded19a7084ce5da3d2d4cd8270f1574cc8a84b875c8ae4d1e378fc6fa0a0133 |
memory/1376-29-0x0000000001150000-0x0000000001502000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\97d0aca3
| MD5 | 39308a15982790fdcfdc7ec5a813420f |
| SHA1 | 69c79bf5098a2b766ba79ac27f810e7d7d7e4e64 |
| SHA256 | 20991bf16deb823fd6b4c49b5a30352de2622ad3dc888bc945732109dd809656 |
| SHA512 | 3178211378d171a60741533ba81ad49b4a7ed3ec18a72a0934a46f47cdf2e6ff8d582e41c8d5699735d33d6d9c30d963c81fd2ae5979a41ba310abe5abfc5534 |
memory/1376-36-0x0000000072F30000-0x00000000730AB000-memory.dmp
memory/1376-37-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe
| MD5 | af75546a81e72af61b5d94fdea9306e3 |
| SHA1 | 0f81534dd3707a8a30c800037dc49039827a3840 |
| SHA256 | 67e99e2b7b420b9919443096cae54128f9fd932c0405a1f10fe934e36cb724e4 |
| SHA512 | fa1bbf493279ca170b5a9443d45c0b6de7c6483b5a13f09fd0604d9f9f3ed7b73806a31af3d7477c71184ff014224a4e9a7cd35eed08292a140e4bcddca80434 |
memory/3824-42-0x0000000000400000-0x000000000096C000-memory.dmp
memory/3824-48-0x0000000072F30000-0x00000000730AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a12657a4
| MD5 | 63618dd22d08db942ef8eb97df47045c |
| SHA1 | 61e2f2fedcc234aa15f968eed516ac97b6d81f60 |
| SHA256 | 88966a2125942f70a46d6b7c5ec8c1ae70485d3ae1ddafdfd1ddbad9b91a7fe6 |
| SHA512 | 367f00668550fbf14e66778e226f3f1276c10652f59a633eb860c1e55d17b5386bbc0803f71909870e61bda71cdc636241c9373f7afb22be955779dbbba2c2b2 |
memory/3824-50-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\ae176efe-37aa-46b6-a6ce-0f33c2440b70
| MD5 | 52cb5cdfb14fc50b5bd9fe99d7ba8d9b |
| SHA1 | 59e78c7b741d1605f7a0fbcb0b41dcc06e8bd600 |
| SHA256 | 0323bc2d0dadfa2f553fb4fde4d1a9dcfdbe26890bb364643b51dd37f4d59ed7 |
| SHA512 | 90e66070af32c07efbeec3a89f99948fd5389c95124683438137b6d3335f96393a2b4b78deaf71112680ead7bbf641cdcc88bb945e61cb46e067d7df2708fc5b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\5373376b-0666-4c71-9f0b-9f3fcd158423
| MD5 | 571cc93682abdae8dc6c812fd7b160eb |
| SHA1 | 5fda35230bbd0f927d6a39a959aaa89c0d9d62a4 |
| SHA256 | 67f0aa7b0f83eae3c35cef5d00ca146ad23ac659cbcf9961731af4989acbf22b |
| SHA512 | d2292f6090bb865d4eebb37b1c98ece8e4175c3b1ad4b6a558cf69c7f318d27c617e10d6a65f744d465a433bff044a2978fdb1e3cd8bb3f5e7664508ecef2059 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
| MD5 | db76a86932eeb3f13f96c44a11e3be3f |
| SHA1 | 205fd4e4f0ef98e67d4f52d57c44874854b2aaa1 |
| SHA256 | 49c82eb495f600a8f6b814cdeaccc799a64de51010e2e59c7dc97705357ef2dd |
| SHA512 | fe061445e87abd3ac1c22069dc03106a38fa6a0178e37ad67b2076810a53c1f587f3bf8fc8eb237bdb9374a234af271c2d19ceb1f24715d6212900764dad6edf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
| MD5 | ace68fdef1dad2b06c09f475f3713625 |
| SHA1 | 5a896b8cf16f0f6a8004d337138585e55a6b324d |
| SHA256 | 2a05e4d894101f12b423e9e3e71a14f4561663b3916d776d4bbdf59d83f1ca80 |
| SHA512 | ea9f15f4ba3405a1f6df8d00ad7cfc3177b10884cf71c780191be42edef9ebde4c6da6266dabafe898d5a400739172721e3883e367f5bbd3c0bb2ce52d707435 |
memory/648-149-0x0000000000320000-0x0000000000373000-memory.dmp
memory/3824-150-0x0000000000400000-0x000000000096C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | deb2a5f0eaf83184b21a675176e8fa70 |
| SHA1 | 9dabc1b1ec123648872508dd7a7eaba619b0600f |
| SHA256 | f1b99ba4bfe901c796db0accf488c8431f273b73ffc0e35ce2f6095ede4a4cdc |
| SHA512 | 8bce9b0559d99bf512cbc3e70c20a95a0f566cc0a54e96b23954465e76f2a31d8c3dc57c5b375760d3812ee94b22ed3a1670332dfd86e2858124182ffa2fbda6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
| MD5 | c97fde18e9d425d9deb1c3d50740832f |
| SHA1 | b70e3350be84425d89f49695adef4620dadc007e |
| SHA256 | a7920e8d0752b7e037a4204aeb5cb7e59d3f25db5ec92c4f5f99c363c29e31aa |
| SHA512 | c63fd18a432abb91f810b8fd316738933a53aa41d0f4082935a23f4b95db5da8dcda41be82339224b8bcb9127b2a7479dea74660334d1016257c97499ad25491 |
memory/1376-194-0x0000000072F30000-0x00000000730AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9c5dd729
| MD5 | 7367392ef60ca04dfca9a911c8a293fd |
| SHA1 | 7f4f4f67f91fbad389b981556af385099bcbf2f6 |
| SHA256 | f6cc233c9fda778d5de864c4ced214ac001bf5360e4367e085fe8acbd5090196 |
| SHA512 | 5a35af4271c284337e91fffa4045d5da81579599d86bd997d0698bc4bd28dd276f73d846053a1647147c617ca8847c358e5859ad6e7d5ec8f4b37e561cc9102e |
memory/3824-211-0x0000000072F30000-0x00000000730AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a646c932
| MD5 | 920cafd6003194fa64156139aa1490d1 |
| SHA1 | 8b826b9b1ce5da8d61b87a9ebdf1eecb077731eb |
| SHA256 | 7f4c46c0ec46ecbfb647369b9a9a4f8809fe246fbef9cf7e44f8385b45f0cfe6 |
| SHA512 | 50319fab214dcd51fcd392b81c5a5a290627d17ed88aae6a1fc869a2222939b07dd394d660244965a0e254c1e0fc11b05dbce64d74fd348c19873babe23cbd20 |
memory/504-223-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
memory/5008-226-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
memory/5008-231-0x0000000072F30000-0x00000000730AB000-memory.dmp
C:\Windows\Tasks\NVIDIA Container Compatibility.job
| MD5 | 50651cf8eb83025c1b9c015f8dd7bf69 |
| SHA1 | 801f2fac919c119c4929f6575e50c69e7058cbbd |
| SHA256 | 8ad51735b47059fa1136593b75a22e9e588bffb6f71f73846939011a17ef30e7 |
| SHA512 | 8e060ca39a1c906b7bd12d366c45ba540c33c62bb612d0007d280d9676c47a04b8325df6ad97c532d1ff16e518f259b07990469c1fd70a2b044c3c2f19cf8384 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | db71012ddd8c3bbf27360bd56b59c14f |
| SHA1 | cd5baa5f06780f043b4f6abd3dd93fb70d9199b4 |
| SHA256 | b658257bafe5db767d5254fd81fc13198e98d8fded9c8cf5c23a0fdc2b87f7c0 |
| SHA512 | 4348ce992e20fecf2ea1a2eab06a94f1de3457e454cb5a28e681dab6b4e6f81a2ad65833b8fd2f70ef8f258ef5a93d039aa121c21b46c95e01596d044332cf33 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
| MD5 | ef64e3eae5efdd13400142c5237b007f |
| SHA1 | 8a0db5bdecf868669c2d2fee76a43a3650fadf8c |
| SHA256 | 8dda3a33a14770353faa23a75c9aef86e2f0c7baf3f63821a426cca9e2d42304 |
| SHA512 | d3d1575541541ad6d167e8c4abed1c400e21a682db0cadaa939301345aa435b7ea255d0a511a7881987c46e18bf158d08f517f86d98099f10f7a7f276d021cc6 |
memory/504-272-0x0000000072F30000-0x00000000730AB000-memory.dmp
memory/5508-309-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 38f97daae7b9d8818cc071e1d4311c4d |
| SHA1 | 454347403df609c48e4a53c80185854142ae31c4 |
| SHA256 | ab6a07afaccd34bbe2f5a5c63aa2d13e1a911f7fc071f7aa2f474d79ecadc94a |
| SHA512 | e1f8479933e9a9b84bbb2973c6b3a0dd1c0730c9e15d4a3818ce82dcbaf09ec19f391fdac8f17ab79aba10f4d58f29f424e743d047839427809d0bcbdc9ed915 |
memory/5508-329-0x0000000000860000-0x00000000008C7000-memory.dmp
memory/5588-330-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp
memory/5588-331-0x0000000000DA0000-0x0000000000E10000-memory.dmp
memory/5508-333-0x0000000000860000-0x00000000008C7000-memory.dmp
memory/5588-339-0x0000000000DA0000-0x0000000000E10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 02a48e8daf4c562f5ffd3eb0ddee59b1 |
| SHA1 | 25479dc93a5ba86d5b7297da5128d3363d6ca001 |
| SHA256 | 184a5cb51eb3de8d3aa91e69cc75fa2fa4253967f07be17bd2bc72f65b03cd1d |
| SHA512 | 8f0b712067d983425f71a5098fb400ff66c8b104303a217d10353a7a17ce8f9029258525aea7769a0cda1fc2e3d261a9d2b8a1d4145f9cd996273e6c95f6f09e |
C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1
| MD5 | 0fb684cc15d197c0b937e5528359d7c8 |
| SHA1 | 7d963246f52f42012bdcddb31214283c84c954ed |
| SHA256 | e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260 |
| SHA512 | c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c |
memory/5324-369-0x00000000041A0000-0x00000000041D6000-memory.dmp
memory/5324-370-0x0000000006E10000-0x0000000007438000-memory.dmp
memory/5324-371-0x0000000006C30000-0x0000000006C52000-memory.dmp
memory/5324-372-0x0000000007540000-0x00000000075A6000-memory.dmp
memory/5324-373-0x0000000006CD0000-0x0000000006D36000-memory.dmp
memory/5324-374-0x0000000007600000-0x0000000007950000-memory.dmp
memory/5324-375-0x0000000006DA0000-0x0000000006DBC000-memory.dmp
memory/5324-376-0x0000000007CB0000-0x0000000007CFB000-memory.dmp
memory/5324-377-0x0000000007E30000-0x0000000007EA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2objazb4.5fx.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5324-407-0x0000000008EB0000-0x0000000008EE3000-memory.dmp
memory/5324-408-0x000000006EDF0000-0x000000006EE3B000-memory.dmp
memory/5324-409-0x0000000008C70000-0x0000000008C8E000-memory.dmp
memory/5324-414-0x0000000008EF0000-0x0000000008F95000-memory.dmp
memory/5324-415-0x00000000090A0000-0x0000000009134000-memory.dmp
memory/5324-608-0x0000000009040000-0x000000000905A000-memory.dmp
memory/5324-613-0x0000000009060000-0x0000000009068000-memory.dmp
memory/5588-830-0x0000000000DA0000-0x0000000000E10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++mega.nz\cache\morgue\105\{568dbda3-4e06-438e-9129-720eb8345969}.final
| MD5 | 3efa9abd92666265dd81c4f4311a96f9 |
| SHA1 | 41b6b716d67b93555e444cd453f3c6e3f8c9522c |
| SHA256 | 5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7 |
| SHA512 | 5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 295983c308d1ae142a1cd8cdc02f5c91 |
| SHA1 | 838541c241b37883c2d84f21e8994453ef6c059a |
| SHA256 | 92711d66bd3997e98b84549c4964cd7332dbba60e7824005bad553341bc8687b |
| SHA512 | 120cbefe23ff2ac36ef842d5850ff3eb94cc59e62e2f80055e18a0a335e4703870e47597a210dd8ddaa4f5ec6e1c330105eae7e8c2a5afcabbd92adcfa52301a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\6535
| MD5 | ad74594ff9ec7d4e4082e383e0428e9e |
| SHA1 | 9a90304b7529d4376d2653b6f92201b0697d8001 |
| SHA256 | 47ee30275e32c625d8fcfa2c684e546d2af2a6b2b6349a59b7641fad69b96036 |
| SHA512 | a974c88343c1ec0d743f357647a64d34d10479ec800efa775af3e8d05cd4ccf21f888da6a43108d44bfe01cd8301f92b3ac72264ca58b6ff8a4c8c7ecca176ca |
C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$.T05kEdJz.zip.part
| MD5 | de1dea8d12878251478a44d9504f653a |
| SHA1 | 96cfecc9cbb000dc1ed43bea942896a4d8e72be9 |
| SHA256 | 87513a658c88f4b7c53e64a0ecb859b5a0edcc64d8ada5475971517a088b8fd1 |
| SHA512 | f42642d0c456f37b6231d10e5ecd4148d296274c12ef014a11637673e7eb50539eb523fa2b4013b185ce9b3fa877df3c57372b12e46346b298a1f94a9dbc5711 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite
| MD5 | 91b86c1d6d933b23445f50149474e123 |
| SHA1 | b0e1dc3a42d8447829c2a93be63ce024b21479f6 |
| SHA256 | 5eaa3a4321b306c63f1491770682225080de38ff11312269ed5500b7e12fa39b |
| SHA512 | edbd693f8b5a495af74715d23224b932d060a2886b947aa97594b3478c086cb095b074a3b28d61ad98343aff0415fcb5af5a4065d7f9b55df81e6512af7ba807 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e57481cedbab20ebb32e5615589a4192 |
| SHA1 | 5cc8f87bb2092e3b3dbe8b90128e952d7ffe56b1 |
| SHA256 | 8049bc0b1c59f0235f600f51145972fdbab7aeddd02fbf87fd1d1480c2c45464 |
| SHA512 | 37d1a8bd3720a3824935375c64a81690b4ee9f81ef77f29518387f375115e1c1facdce06f290c11d9a80c5fd685cef161139cda3474dd7c35c5923b1ed457b49 |
C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\!ŞetUp_58392--#PaSꞨKḙy#$$.rar
| MD5 | 656b44c18d92d75cae4ac6026e196749 |
| SHA1 | 455e5352f8c1398812ba3381770851d1d709896e |
| SHA256 | b53d04babb7f168e3d7ed386f47e46f1cbc8df4e4d255064392233b8afd783af |
| SHA512 | 05d74e916c5d945c3ebf75efb208ffe36a09f26ca48072f12f2d83cfbbce97bf1931d4c4f087b4aab831671d6f95a268ac91a3f3bd2f6e1056152c526c7aa12c |
C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\rondure.flv
| MD5 | debeba3e51ffeaee7cbda7eefd2c6289 |
| SHA1 | ded736ebb32b8f87fefa933dac6adfac5bf3b9b3 |
| SHA256 | 5fd404a7dc4ce3cced1d934d982e2a98a554d31da47a1a94f680318663591c6d |
| SHA512 | 85230e8ea20dc39a71f4838b3b52c23424b704c869f7e19f7e8976cc31ba8402224e1d35d9b31a802b4fdca33193e192300801afa28b3139ba245dcc98e41049 |
memory/4796-1002-0x00007FF75DAF0000-0x00007FF75DBE8000-memory.dmp
memory/4796-1003-0x00007FFAEDDA0000-0x00007FFAEDDD4000-memory.dmp
memory/4796-1004-0x00007FFAD64F0000-0x00007FFAD67A6000-memory.dmp
memory/4796-1005-0x00007FFAD5440000-0x00007FFAD64F0000-memory.dmp
C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe
| MD5 | a7118dffeac3772076f1a39a364d608d |
| SHA1 | 6b984d9446f23579e154ec47437b9cf820fd6b67 |
| SHA256 | f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0 |
| SHA512 | f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890 |
C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\tak_deco_lib.dll
| MD5 | 9fa027380f46e2558eec76529b2a9387 |
| SHA1 | c2c206d962cc80f20ef41a9eb4d5d3a26217103d |
| SHA256 | d8dc1568eea298c75e8ca3134588e50466867409c14ce20a4d41bf4c1742d83a |
| SHA512 | 7f326c9b7e7779fec482453cb91816c30eb7c2e86979fab424d680dd2732ba3e1b7a4d17f6d00841dbbd49d810fe7a2549399d46866ec40cc2baba56d5e3dc7d |
memory/5420-1038-0x000002F3AF730000-0x000002F3AF768000-memory.dmp
memory/5420-1039-0x000002F3CB5A0000-0x000002F3CB5EA000-memory.dmp
memory/5420-1040-0x000002F3CAE40000-0x000002F3CAE4E000-memory.dmp
memory/5420-1041-0x000002F3CB5F0000-0x000002F3CB628000-memory.dmp
memory/5420-1046-0x000002F3CB570000-0x000002F3CB578000-memory.dmp
memory/5420-1047-0x000002F3CB840000-0x000002F3CB862000-memory.dmp
memory/5420-1048-0x000002F3CCC00000-0x000002F3CCC76000-memory.dmp
memory/5420-1049-0x000002F3CB780000-0x000002F3CB788000-memory.dmp
memory/5420-1050-0x000002F3CB790000-0x000002F3CB798000-memory.dmp
memory/5420-1051-0x000002F3CCDA0000-0x000002F3CCDA8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 15:27
Reported
2024-07-09 15:33
Platform
win10-20240404-en
Max time kernel
195s
Max time network
257s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4540-0-0x0000000000400000-0x000000000045E000-memory.dmp