Malware Analysis Report

2024-11-30 05:31

Sample ID 240709-sv9vrasbmg
Target #!SetUp_58392--!PassW0rdz#$$.zip
SHA256 87513a658c88f4b7c53e64a0ecb859b5a0edcc64d8ada5475971517a088b8fd1
Tags
amadey lumma execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87513a658c88f4b7c53e64a0ecb859b5a0edcc64d8ada5475971517a088b8fd1

Threat Level: Known bad

The file #!SetUp_58392--!PassW0rdz#$$.zip was found to be: Known bad.

Malicious Activity Summary

amadey lumma execution spyware stealer trojan

Lumma Stealer

Amadey

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

AutoIT Executable

Suspicious use of SetThreadContext

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Program crash

Unsigned PE

Command and Scripting Interpreter: PowerShell

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

Checks SCSI registry key(s)

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 15:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 15:27

Reported

2024-07-09 15:32

Platform

win10-20240404-en

Max time kernel

241s

Max time network

246s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1360 set thread context of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1376 set thread context of 504 N/A C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe C:\Windows\SysWOW64\comp.exe
PID 3824 set thread context of 5008 N/A C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe C:\Windows\SysWOW64\comp.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\Tasks\NVIDIA Container Compatibility.job C:\Windows\SysWOW64\comp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\SearchIndexer.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\comp.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1360 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1360 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1360 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 4280 wrote to memory of 648 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4280 wrote to memory of 648 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4280 wrote to memory of 648 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4280 wrote to memory of 648 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 648 wrote to memory of 1376 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe
PID 648 wrote to memory of 1376 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe
PID 648 wrote to memory of 1376 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe
PID 1376 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe C:\Windows\SysWOW64\comp.exe
PID 1376 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe C:\Windows\SysWOW64\comp.exe
PID 1376 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe C:\Windows\SysWOW64\comp.exe
PID 648 wrote to memory of 3824 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe
PID 648 wrote to memory of 3824 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe
PID 648 wrote to memory of 3824 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3364 wrote to memory of 1884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 1792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 1792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 3632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe

"C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe"

C:\Windows\SysWOW64\comp.exe

C:\Windows\SysWOW64\comp.exe

C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe

"C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1432

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.0.157132020\1869602521" -parentBuildID 20221007134813 -prefsHandle 1612 -prefMapHandle 1600 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83e68a33-d809-467d-ad86-bcc4aa1b1ca7} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 1792 1f2910d6158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.1.1159659544\1259096148" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee6bd060-0997-40e9-9b73-db6ef025d57a} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2164 1f290ff9258 socket

C:\Windows\SysWOW64\comp.exe

C:\Windows\SysWOW64\comp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.2.2089654527\206016340" -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 2896 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4da42e23-db32-4771-ab59-721d4a4078d6} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2752 1f29539d558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.3.1947643720\560642858" -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3404 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5cb48d0-60d0-40be-87d8-8c6b68683d24} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 3448 1f29620be58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.4.106441376\315703736" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4092 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7240682-a51b-4822-8e12-7f379136d1cf} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4056 1f296ffdf58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.5.115247438\1268786981" -childID 4 -isForBrowser -prefsHandle 2576 -prefMapHandle 4572 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1812a53b-6d8c-4673-a019-4b96fc6f3380} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2572 1f292933958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.6.65631505\594666068" -childID 5 -isForBrowser -prefsHandle 1724 -prefMapHandle 5124 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2d26fa6-d996-4e90-bfd0-02a016fab146} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5048 1f297980c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.7.745633111\889830403" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0f5e78-414d-482f-bb48-1c1e83d26647} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5304 1f297f09258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.8.2130528380\1442578095" -childID 7 -isForBrowser -prefsHandle 3564 -prefMapHandle 3136 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {814be0ed-0d1a-45bd-be01-9176a69301bc} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 3572 1f298cddb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.9.116920842\2144914942" -childID 8 -isForBrowser -prefsHandle 4424 -prefMapHandle 4440 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfcfb7e7-8905-4e91-b9c5-3d4a77375d55} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4420 1f2924a5e58 tab

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.10.2130560860\759106258" -childID 9 -isForBrowser -prefsHandle 5856 -prefMapHandle 5892 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ae1509e-b129-4044-b734-ba8ae00494db} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 4492 1f293928158 tab

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.11.173221863\974064266" -childID 10 -isForBrowser -prefsHandle 6024 -prefMapHandle 6084 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {696b4536-43fb-484d-bb61-04ba142b1e29} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 6100 1f29a05b358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.12.671932055\646723907" -childID 11 -isForBrowser -prefsHandle 6304 -prefMapHandle 6352 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {648dbd1d-b86e-4657-97fe-acf0f21a695e} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 6128 1f29290a258 tab

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3a0

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\" -spe -an -ai#7zMap13448:118:7zEvent2823

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\!ŞetUp_58392--#PaSꞨKḙy#$$.rar"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\rondure.flv"

C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe

"C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 179.25.21.104.in-addr.arpa udp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 foodupdates.shop udp
US 172.67.182.166:443 foodupdates.shop tcp
US 8.8.8.8:53 166.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
N/A 127.0.0.1:49818 tcp
N/A 127.0.0.1:49828 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 clck.ru udp
RU 213.180.204.221:80 clck.ru tcp
US 8.8.8.8:53 clck.ru udp
RU 213.180.204.221:80 clck.ru tcp
RU 213.180.204.221:80 clck.ru tcp
US 8.8.8.8:53 clck.ru udp
RU 213.180.204.221:443 clck.ru tcp
RU 213.180.204.221:443 clck.ru tcp
US 8.8.8.8:53 221.204.180.213.in-addr.arpa udp
US 8.8.8.8:53 yastatic.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 217.131.154.178.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.ru udp
RU 87.250.251.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 119.251.250.87.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.com udp
RU 93.158.134.119:443 mc.yandex.com tcp
RU 93.158.134.119:443 mc.yandex.com tcp
US 8.8.8.8:53 119.134.158.93.in-addr.arpa udp
US 8.8.8.8:53 qr.yandex.ru udp
US 8.8.8.8:53 qr.yandex.ru udp
RU 87.250.254.19:443 qr.yandex.ru tcp
US 8.8.8.8:53 qr.yandex.ru udp
RU 87.250.254.19:443 qr.yandex.ru tcp
RU 87.250.254.19:443 qr.yandex.ru tcp
RU 87.250.254.19:443 qr.yandex.ru tcp
RU 87.250.254.19:443 qr.yandex.ru tcp
US 8.8.8.8:53 19.254.250.87.in-addr.arpa udp
RU 87.250.254.19:443 qr.yandex.ru tcp
RU 87.250.254.19:443 qr.yandex.ru tcp
RU 87.250.254.19:443 qr.yandex.ru tcp
RU 87.250.254.19:443 qr.yandex.ru tcp
RU 87.250.251.119:443 mc.yandex.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 downloaddining2.com udp
US 8.8.8.8:53 downloaddining.com udp
US 8.8.8.8:53 downloaddining3.com udp
RU 45.140.19.240:80 downloaddining.com tcp
US 104.21.53.53:80 downloaddining2.com tcp
US 172.67.208.139:80 downloaddining3.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
US 8.8.8.8:53 53.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 139.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 250.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.19.140.45.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 sba.yandex.ru udp
US 8.8.8.8:53 sba.yandex.net udp
RU 213.180.204.232:443 sba.yandex.net tcp
US 8.8.8.8:53 sba.yandex.net udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 232.204.180.213.in-addr.arpa udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 eu.static.mega.co.nz udp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
US 8.8.8.8:53 11.127.203.66.in-addr.arpa udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.11:443 g.api.mega.co.nz tcp
LU 66.203.125.11:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 lu.api.mega.co.nz udp
US 8.8.8.8:53 lu.api.mega.co.nz udp
US 8.8.8.8:53 11.125.203.66.in-addr.arpa udp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
US 8.8.8.8:53 gfs270n142.userstorage.mega.co.nz udp
LU 89.44.168.208:443 gfs270n142.userstorage.mega.co.nz tcp
LU 89.44.168.208:443 gfs270n142.userstorage.mega.co.nz tcp
LU 89.44.168.208:443 gfs270n142.userstorage.mega.co.nz tcp
LU 89.44.168.208:443 gfs270n142.userstorage.mega.co.nz tcp
US 8.8.8.8:53 gfs270n142.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs270n142.userstorage.mega.co.nz udp
US 8.8.8.8:53 208.168.44.89.in-addr.arpa udp
LU 89.44.168.208:443 gfs270n142.userstorage.mega.co.nz tcp
LU 31.216.144.5:443 mega.nz tcp
LU 89.44.168.208:443 gfs270n142.userstorage.mega.co.nz tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/1360-0-0x00000000008E0000-0x000000000093E000-memory.dmp

memory/1360-1-0x00007FFAF40A0000-0x00007FFAF44DB000-memory.dmp

memory/1360-5-0x00007FFAF40B8000-0x00007FFAF40B9000-memory.dmp

memory/1360-6-0x00007FFAF40A0000-0x00007FFAF44DB000-memory.dmp

memory/1360-7-0x00007FFAF40A0000-0x00007FFAF44DB000-memory.dmp

memory/1360-9-0x00000000008E0000-0x000000000093E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb7004d8

MD5 456d8f9a601db1f12b105175394e6b2f
SHA1 78e5fc0f7f6e97b21b42396a8957f2d255fedb1b
SHA256 b4523ffe7f29e13ae2563b9cb05c263e659ae888270cb71c2a368a1dfea605c9
SHA512 b55906dd6325522a04198e9c57f66da522b5cbd7e287ab7d7599686fda5edb8dd516ad366fe8d09298f43e55b2af1e565f6a8ef592069071e0fd03fe8d6cc982

memory/4280-11-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

memory/4280-13-0x000000007622E000-0x0000000076230000-memory.dmp

memory/4280-12-0x0000000076220000-0x000000007663A000-memory.dmp

memory/4280-14-0x0000000076220000-0x000000007663A000-memory.dmp

memory/648-21-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

memory/648-22-0x0000000000320000-0x0000000000373000-memory.dmp

memory/648-23-0x0000000000320000-0x0000000000373000-memory.dmp

memory/4280-24-0x000000007622E000-0x0000000076230000-memory.dmp

memory/4280-25-0x0000000076220000-0x000000007663A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6YTYIRNSREFLH6MJ71L.exe

MD5 86561270851963e63c6d609caaff47a3
SHA1 37dd064af1f150d951a5fbf30b0223ee9a54c082
SHA256 be94710b2a9cd12ea8e45c7a8c61db878d731f489098c356fcb928bab39fadc6
SHA512 93e89ab997464a1573cb4c593e6f622da2ecf28b0971fadfa526a835e81fde5d5ded19a7084ce5da3d2d4cd8270f1574cc8a84b875c8ae4d1e378fc6fa0a0133

memory/1376-29-0x0000000001150000-0x0000000001502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97d0aca3

MD5 39308a15982790fdcfdc7ec5a813420f
SHA1 69c79bf5098a2b766ba79ac27f810e7d7d7e4e64
SHA256 20991bf16deb823fd6b4c49b5a30352de2622ad3dc888bc945732109dd809656
SHA512 3178211378d171a60741533ba81ad49b4a7ed3ec18a72a0934a46f47cdf2e6ff8d582e41c8d5699735d33d6d9c30d963c81fd2ae5979a41ba310abe5abfc5534

memory/1376-36-0x0000000072F30000-0x00000000730AB000-memory.dmp

memory/1376-37-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8017OJ3TQ62QUPBQW2BIL89M.exe

MD5 af75546a81e72af61b5d94fdea9306e3
SHA1 0f81534dd3707a8a30c800037dc49039827a3840
SHA256 67e99e2b7b420b9919443096cae54128f9fd932c0405a1f10fe934e36cb724e4
SHA512 fa1bbf493279ca170b5a9443d45c0b6de7c6483b5a13f09fd0604d9f9f3ed7b73806a31af3d7477c71184ff014224a4e9a7cd35eed08292a140e4bcddca80434

memory/3824-42-0x0000000000400000-0x000000000096C000-memory.dmp

memory/3824-48-0x0000000072F30000-0x00000000730AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a12657a4

MD5 63618dd22d08db942ef8eb97df47045c
SHA1 61e2f2fedcc234aa15f968eed516ac97b6d81f60
SHA256 88966a2125942f70a46d6b7c5ec8c1ae70485d3ae1ddafdfd1ddbad9b91a7fe6
SHA512 367f00668550fbf14e66778e226f3f1276c10652f59a633eb860c1e55d17b5386bbc0803f71909870e61bda71cdc636241c9373f7afb22be955779dbbba2c2b2

memory/3824-50-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\ae176efe-37aa-46b6-a6ce-0f33c2440b70

MD5 52cb5cdfb14fc50b5bd9fe99d7ba8d9b
SHA1 59e78c7b741d1605f7a0fbcb0b41dcc06e8bd600
SHA256 0323bc2d0dadfa2f553fb4fde4d1a9dcfdbe26890bb364643b51dd37f4d59ed7
SHA512 90e66070af32c07efbeec3a89f99948fd5389c95124683438137b6d3335f96393a2b4b78deaf71112680ead7bbf641cdcc88bb945e61cb46e067d7df2708fc5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\5373376b-0666-4c71-9f0b-9f3fcd158423

MD5 571cc93682abdae8dc6c812fd7b160eb
SHA1 5fda35230bbd0f927d6a39a959aaa89c0d9d62a4
SHA256 67f0aa7b0f83eae3c35cef5d00ca146ad23ac659cbcf9961731af4989acbf22b
SHA512 d2292f6090bb865d4eebb37b1c98ece8e4175c3b1ad4b6a558cf69c7f318d27c617e10d6a65f744d465a433bff044a2978fdb1e3cd8bb3f5e7664508ecef2059

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

MD5 db76a86932eeb3f13f96c44a11e3be3f
SHA1 205fd4e4f0ef98e67d4f52d57c44874854b2aaa1
SHA256 49c82eb495f600a8f6b814cdeaccc799a64de51010e2e59c7dc97705357ef2dd
SHA512 fe061445e87abd3ac1c22069dc03106a38fa6a0178e37ad67b2076810a53c1f587f3bf8fc8eb237bdb9374a234af271c2d19ceb1f24715d6212900764dad6edf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

MD5 ace68fdef1dad2b06c09f475f3713625
SHA1 5a896b8cf16f0f6a8004d337138585e55a6b324d
SHA256 2a05e4d894101f12b423e9e3e71a14f4561663b3916d776d4bbdf59d83f1ca80
SHA512 ea9f15f4ba3405a1f6df8d00ad7cfc3177b10884cf71c780191be42edef9ebde4c6da6266dabafe898d5a400739172721e3883e367f5bbd3c0bb2ce52d707435

memory/648-149-0x0000000000320000-0x0000000000373000-memory.dmp

memory/3824-150-0x0000000000400000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 deb2a5f0eaf83184b21a675176e8fa70
SHA1 9dabc1b1ec123648872508dd7a7eaba619b0600f
SHA256 f1b99ba4bfe901c796db0accf488c8431f273b73ffc0e35ce2f6095ede4a4cdc
SHA512 8bce9b0559d99bf512cbc3e70c20a95a0f566cc0a54e96b23954465e76f2a31d8c3dc57c5b375760d3812ee94b22ed3a1670332dfd86e2858124182ffa2fbda6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

MD5 c97fde18e9d425d9deb1c3d50740832f
SHA1 b70e3350be84425d89f49695adef4620dadc007e
SHA256 a7920e8d0752b7e037a4204aeb5cb7e59d3f25db5ec92c4f5f99c363c29e31aa
SHA512 c63fd18a432abb91f810b8fd316738933a53aa41d0f4082935a23f4b95db5da8dcda41be82339224b8bcb9127b2a7479dea74660334d1016257c97499ad25491

memory/1376-194-0x0000000072F30000-0x00000000730AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9c5dd729

MD5 7367392ef60ca04dfca9a911c8a293fd
SHA1 7f4f4f67f91fbad389b981556af385099bcbf2f6
SHA256 f6cc233c9fda778d5de864c4ced214ac001bf5360e4367e085fe8acbd5090196
SHA512 5a35af4271c284337e91fffa4045d5da81579599d86bd997d0698bc4bd28dd276f73d846053a1647147c617ca8847c358e5859ad6e7d5ec8f4b37e561cc9102e

memory/3824-211-0x0000000072F30000-0x00000000730AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a646c932

MD5 920cafd6003194fa64156139aa1490d1
SHA1 8b826b9b1ce5da8d61b87a9ebdf1eecb077731eb
SHA256 7f4c46c0ec46ecbfb647369b9a9a4f8809fe246fbef9cf7e44f8385b45f0cfe6
SHA512 50319fab214dcd51fcd392b81c5a5a290627d17ed88aae6a1fc869a2222939b07dd394d660244965a0e254c1e0fc11b05dbce64d74fd348c19873babe23cbd20

memory/504-223-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

memory/5008-226-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

memory/5008-231-0x0000000072F30000-0x00000000730AB000-memory.dmp

C:\Windows\Tasks\NVIDIA Container Compatibility.job

MD5 50651cf8eb83025c1b9c015f8dd7bf69
SHA1 801f2fac919c119c4929f6575e50c69e7058cbbd
SHA256 8ad51735b47059fa1136593b75a22e9e588bffb6f71f73846939011a17ef30e7
SHA512 8e060ca39a1c906b7bd12d366c45ba540c33c62bb612d0007d280d9676c47a04b8325df6ad97c532d1ff16e518f259b07990469c1fd70a2b044c3c2f19cf8384

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 db71012ddd8c3bbf27360bd56b59c14f
SHA1 cd5baa5f06780f043b4f6abd3dd93fb70d9199b4
SHA256 b658257bafe5db767d5254fd81fc13198e98d8fded9c8cf5c23a0fdc2b87f7c0
SHA512 4348ce992e20fecf2ea1a2eab06a94f1de3457e454cb5a28e681dab6b4e6f81a2ad65833b8fd2f70ef8f258ef5a93d039aa121c21b46c95e01596d044332cf33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

MD5 ef64e3eae5efdd13400142c5237b007f
SHA1 8a0db5bdecf868669c2d2fee76a43a3650fadf8c
SHA256 8dda3a33a14770353faa23a75c9aef86e2f0c7baf3f63821a426cca9e2d42304
SHA512 d3d1575541541ad6d167e8c4abed1c400e21a682db0cadaa939301345aa435b7ea255d0a511a7881987c46e18bf158d08f517f86d98099f10f7a7f276d021cc6

memory/504-272-0x0000000072F30000-0x00000000730AB000-memory.dmp

memory/5508-309-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 38f97daae7b9d8818cc071e1d4311c4d
SHA1 454347403df609c48e4a53c80185854142ae31c4
SHA256 ab6a07afaccd34bbe2f5a5c63aa2d13e1a911f7fc071f7aa2f474d79ecadc94a
SHA512 e1f8479933e9a9b84bbb2973c6b3a0dd1c0730c9e15d4a3818ce82dcbaf09ec19f391fdac8f17ab79aba10f4d58f29f424e743d047839427809d0bcbdc9ed915

memory/5508-329-0x0000000000860000-0x00000000008C7000-memory.dmp

memory/5588-330-0x00007FFAF4A30000-0x00007FFAF4C0B000-memory.dmp

memory/5588-331-0x0000000000DA0000-0x0000000000E10000-memory.dmp

memory/5508-333-0x0000000000860000-0x00000000008C7000-memory.dmp

memory/5588-339-0x0000000000DA0000-0x0000000000E10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 02a48e8daf4c562f5ffd3eb0ddee59b1
SHA1 25479dc93a5ba86d5b7297da5128d3363d6ca001
SHA256 184a5cb51eb3de8d3aa91e69cc75fa2fa4253967f07be17bd2bc72f65b03cd1d
SHA512 8f0b712067d983425f71a5098fb400ff66c8b104303a217d10353a7a17ce8f9029258525aea7769a0cda1fc2e3d261a9d2b8a1d4145f9cd996273e6c95f6f09e

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 0fb684cc15d197c0b937e5528359d7c8
SHA1 7d963246f52f42012bdcddb31214283c84c954ed
SHA256 e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260
SHA512 c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

memory/5324-369-0x00000000041A0000-0x00000000041D6000-memory.dmp

memory/5324-370-0x0000000006E10000-0x0000000007438000-memory.dmp

memory/5324-371-0x0000000006C30000-0x0000000006C52000-memory.dmp

memory/5324-372-0x0000000007540000-0x00000000075A6000-memory.dmp

memory/5324-373-0x0000000006CD0000-0x0000000006D36000-memory.dmp

memory/5324-374-0x0000000007600000-0x0000000007950000-memory.dmp

memory/5324-375-0x0000000006DA0000-0x0000000006DBC000-memory.dmp

memory/5324-376-0x0000000007CB0000-0x0000000007CFB000-memory.dmp

memory/5324-377-0x0000000007E30000-0x0000000007EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2objazb4.5fx.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5324-407-0x0000000008EB0000-0x0000000008EE3000-memory.dmp

memory/5324-408-0x000000006EDF0000-0x000000006EE3B000-memory.dmp

memory/5324-409-0x0000000008C70000-0x0000000008C8E000-memory.dmp

memory/5324-414-0x0000000008EF0000-0x0000000008F95000-memory.dmp

memory/5324-415-0x00000000090A0000-0x0000000009134000-memory.dmp

memory/5324-608-0x0000000009040000-0x000000000905A000-memory.dmp

memory/5324-613-0x0000000009060000-0x0000000009068000-memory.dmp

memory/5588-830-0x0000000000DA0000-0x0000000000E10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++mega.nz\cache\morgue\105\{568dbda3-4e06-438e-9129-720eb8345969}.final

MD5 3efa9abd92666265dd81c4f4311a96f9
SHA1 41b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA256 5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA512 5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 295983c308d1ae142a1cd8cdc02f5c91
SHA1 838541c241b37883c2d84f21e8994453ef6c059a
SHA256 92711d66bd3997e98b84549c4964cd7332dbba60e7824005bad553341bc8687b
SHA512 120cbefe23ff2ac36ef842d5850ff3eb94cc59e62e2f80055e18a0a335e4703870e47597a210dd8ddaa4f5ec6e1c330105eae7e8c2a5afcabbd92adcfa52301a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\6535

MD5 ad74594ff9ec7d4e4082e383e0428e9e
SHA1 9a90304b7529d4376d2653b6f92201b0697d8001
SHA256 47ee30275e32c625d8fcfa2c684e546d2af2a6b2b6349a59b7641fad69b96036
SHA512 a974c88343c1ec0d743f357647a64d34d10479ec800efa775af3e8d05cd4ccf21f888da6a43108d44bfe01cd8301f92b3ac72264ca58b6ff8a4c8c7ecca176ca

C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$.T05kEdJz.zip.part

MD5 de1dea8d12878251478a44d9504f653a
SHA1 96cfecc9cbb000dc1ed43bea942896a4d8e72be9
SHA256 87513a658c88f4b7c53e64a0ecb859b5a0edcc64d8ada5475971517a088b8fd1
SHA512 f42642d0c456f37b6231d10e5ecd4148d296274c12ef014a11637673e7eb50539eb523fa2b4013b185ce9b3fa877df3c57372b12e46346b298a1f94a9dbc5711

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

MD5 91b86c1d6d933b23445f50149474e123
SHA1 b0e1dc3a42d8447829c2a93be63ce024b21479f6
SHA256 5eaa3a4321b306c63f1491770682225080de38ff11312269ed5500b7e12fa39b
SHA512 edbd693f8b5a495af74715d23224b932d060a2886b947aa97594b3478c086cb095b074a3b28d61ad98343aff0415fcb5af5a4065d7f9b55df81e6512af7ba807

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e57481cedbab20ebb32e5615589a4192
SHA1 5cc8f87bb2092e3b3dbe8b90128e952d7ffe56b1
SHA256 8049bc0b1c59f0235f600f51145972fdbab7aeddd02fbf87fd1d1480c2c45464
SHA512 37d1a8bd3720a3824935375c64a81690b4ee9f81ef77f29518387f375115e1c1facdce06f290c11d9a80c5fd685cef161139cda3474dd7c35c5923b1ed457b49

C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\!ŞetUp_58392--#PaSꞨKḙy#$$.rar

MD5 656b44c18d92d75cae4ac6026e196749
SHA1 455e5352f8c1398812ba3381770851d1d709896e
SHA256 b53d04babb7f168e3d7ed386f47e46f1cbc8df4e4d255064392233b8afd783af
SHA512 05d74e916c5d945c3ebf75efb208ffe36a09f26ca48072f12f2d83cfbbce97bf1931d4c4f087b4aab831671d6f95a268ac91a3f3bd2f6e1056152c526c7aa12c

C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\rondure.flv

MD5 debeba3e51ffeaee7cbda7eefd2c6289
SHA1 ded736ebb32b8f87fefa933dac6adfac5bf3b9b3
SHA256 5fd404a7dc4ce3cced1d934d982e2a98a554d31da47a1a94f680318663591c6d
SHA512 85230e8ea20dc39a71f4838b3b52c23424b704c869f7e19f7e8976cc31ba8402224e1d35d9b31a802b4fdca33193e192300801afa28b3139ba245dcc98e41049

memory/4796-1002-0x00007FF75DAF0000-0x00007FF75DBE8000-memory.dmp

memory/4796-1003-0x00007FFAEDDA0000-0x00007FFAEDDD4000-memory.dmp

memory/4796-1004-0x00007FFAD64F0000-0x00007FFAD67A6000-memory.dmp

memory/4796-1005-0x00007FFAD5440000-0x00007FFAD64F0000-memory.dmp

C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\Setup.exe

MD5 a7118dffeac3772076f1a39a364d608d
SHA1 6b984d9446f23579e154ec47437b9cf820fd6b67
SHA256 f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0
SHA512 f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890

C:\Users\Admin\Downloads\#!SetUp_58392--!PassW0rdz#$$\0pen___files\tak_deco_lib.dll

MD5 9fa027380f46e2558eec76529b2a9387
SHA1 c2c206d962cc80f20ef41a9eb4d5d3a26217103d
SHA256 d8dc1568eea298c75e8ca3134588e50466867409c14ce20a4d41bf4c1742d83a
SHA512 7f326c9b7e7779fec482453cb91816c30eb7c2e86979fab424d680dd2732ba3e1b7a4d17f6d00841dbbd49d810fe7a2549399d46866ec40cc2baba56d5e3dc7d

memory/5420-1038-0x000002F3AF730000-0x000002F3AF768000-memory.dmp

memory/5420-1039-0x000002F3CB5A0000-0x000002F3CB5EA000-memory.dmp

memory/5420-1040-0x000002F3CAE40000-0x000002F3CAE4E000-memory.dmp

memory/5420-1041-0x000002F3CB5F0000-0x000002F3CB628000-memory.dmp

memory/5420-1046-0x000002F3CB570000-0x000002F3CB578000-memory.dmp

memory/5420-1047-0x000002F3CB840000-0x000002F3CB862000-memory.dmp

memory/5420-1048-0x000002F3CCC00000-0x000002F3CCC76000-memory.dmp

memory/5420-1049-0x000002F3CB780000-0x000002F3CB788000-memory.dmp

memory/5420-1050-0x000002F3CB790000-0x000002F3CB798000-memory.dmp

memory/5420-1051-0x000002F3CCDA0000-0x000002F3CCDA8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 15:27

Reported

2024-07-09 15:33

Platform

win10-20240404-en

Max time kernel

195s

Max time network

257s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4540-0-0x0000000000400000-0x000000000045E000-memory.dmp