hxxp://virtualyoga[.]mom/Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg

Resubmissions

21/09/2023, 14:57 UTC

230921-sb3bkaag75 1

21/09/2023, 14:56 UTC

230921-sa2cwaag67 1

Analysis

max time kernel
18s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 14:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://virtualyoga.mom/Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	firefox.exe
Token: SeDebugPrivilege	228	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
228	firefox.exe
228	firefox.exe
228	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 4440 wrote to memory of 228	4440	firefox.exe	65
PID 228 wrote to memory of 3700	228	firefox.exe	85
PID 228 wrote to memory of 3700	228	firefox.exe	85
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 4780	228	firefox.exe	87
PID 228 wrote to memory of 3848	228	firefox.exe	88
PID 228 wrote to memory of 3848	228	firefox.exe	88
PID 228 wrote to memory of 3848	228	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://virtualyoga.mom/Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg"
1⤵
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://virtualyoga.mom/Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="228.0.1023784012\846825979" -parentBuildID 20221007134813 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66424248-d659-4245-ba71-2f7e1860b0e1} 228 "\\.\pipe\gecko-crash-server-pipe.228" 2012 1adbf8e2858 gpu
    3⤵
    PID:3700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="228.1.1638736611\47787580" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8175211d-3270-4296-9319-f9678dbdf1f3} 228 "\\.\pipe\gecko-crash-server-pipe.228" 2456 1adbf3e5258 socket
    3⤵
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="228.2.1030608277\1746974436" -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 2896 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56b67825-35b8-4ca5-ab73-345610e3c097} 228 "\\.\pipe\gecko-crash-server-pipe.228" 3224 1adc34cd558 tab
    3⤵
    PID:3848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="228.3.306194604\1954116139" -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3712 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d44b17aa-245a-463b-9c95-6d126694bd00} 228 "\\.\pipe\gecko-crash-server-pipe.228" 3728 1adc3754858 tab
    3⤵
    PID:1328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="228.4.1386210128\1814908450" -childID 3 -isForBrowser -prefsHandle 4852 -prefMapHandle 4828 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fab808-1f5d-45fe-8a67-62e59942ec9c} 228 "\\.\pipe\gecko-crash-server-pipe.228" 4860 1adc57a6c58 tab
    3⤵
    PID:2224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="228.6.1796433907\1901303274" -childID 5 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c21c49e-ea73-4b2c-89b1-895069cd8635} 228 "\\.\pipe\gecko-crash-server-pipe.228" 5188 1adc58d3c58 tab
    3⤵
    PID:2920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="228.5.383014321\1850972848" -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 4880 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c3478f3-d331-4799-9d5a-548dc8476d87} 228 "\\.\pipe\gecko-crash-server-pipe.228" 4992 1adc58d1258 tab
    3⤵
    PID:4732

Network

DNS

126.177.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.177.238.8.in-addr.arpa

IN PTR

Response
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

virtualyoga.mom

firefox.exe

Remote address:

8.8.8.8:53

Request

virtualyoga.mom

IN A

Response

virtualyoga.mom

IN A

212.115.109.188
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.237.239
DNS

getpocket.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

getpocket.cdn.mozilla.net

IN A

Response

getpocket.cdn.mozilla.net

IN CNAME

getpocket-cdn.prod.mozaws.net

getpocket-cdn.prod.mozaws.net

IN CNAME

prod.pocket.prod.cloudops.mozgcp.net

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
DNS

content-signature-2.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

content-signature-2.cdn.mozilla.net

IN A

Response

content-signature-2.cdn.mozilla.net

IN CNAME

content-signature-chains.prod.autograph.services.mozaws.net

content-signature-chains.prod.autograph.services.mozaws.net

IN CNAME

prod.content-signature-chains.prod.webservices.mozgcp.net

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
GET

https://contile.services.mozilla.com/v1/tiles

firefox.exe

Remote address:

34.117.237.239:443

Request

GET /v1/tiles HTTP/2.0
host: contile.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
te: trailers
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.237.239
GET

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=IE&count=30

firefox.exe

Remote address:

34.120.5.221:443

Request

GET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=IE&count=30 HTTP/2.0
host: getpocket.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-none-match: W/"3d86-XuwJFy3S/7zid4f+kHYsvhttb0c"
te: trailers
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
GET

http://virtualyoga.mom/Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg

firefox.exe

Remote address:

212.115.109.188:80

Request

GET /Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg HTTP/1.1
Host: virtualyoga.mom
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN AAAA

Response
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:524c::
DNS

shavar.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.services.mozilla.com

IN A

Response

shavar.services.mozilla.com

IN CNAME

shavar.prod.mozaws.net

shavar.prod.mozaws.net

IN A

54.185.54.63

shavar.prod.mozaws.net

IN A

34.214.148.106

shavar.prod.mozaws.net

IN A

44.240.83.93
DNS

push.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

push.services.mozilla.com

IN A

Response

push.services.mozilla.com

IN CNAME

autopush.prod.mozaws.net

autopush.prod.mozaws.net

IN A

34.117.65.55
DNS

virtualyoga.mom

firefox.exe

Remote address:

8.8.8.8:53

Request

virtualyoga.mom

IN A

Response

virtualyoga.mom

IN A

212.115.109.188
DNS

firefox.settings.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox.settings.services.mozilla.com

IN A

Response

firefox.settings.services.mozilla.com

IN CNAME

prod.remote-settings.prod.webservices.mozgcp.net

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

44.240.83.93

shavar.prod.mozaws.net

IN A

54.185.54.63

shavar.prod.mozaws.net

IN A

34.214.148.106
DNS

autopush.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN A

Response

autopush.prod.mozaws.net

IN A

34.117.65.55
DNS

virtualyoga.mom

firefox.exe

Remote address:

8.8.8.8:53

Request

virtualyoga.mom

IN AAAA

Response
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-modified-since: Fri, 25 Mar 2022 17:45:46 GMT
if-none-match: "1648230346554"
te: trailers
DNS

autopush.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
GET

https://push.services.mozilla.com/

firefox.exe

Remote address:

34.117.65.55:443

Request

GET / HTTP/1.1
Host: push.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: wss://push.services.mozilla.com/
Sec-WebSocket-Protocol: push-notification
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: 7MICBOTIwXWy6tAOzBN9XQ==
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

Response

HTTP/1.1 101 Switching Protocols

Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: htX8JzY8PhHlj8ydx0jKa5YtpDY=
Date: Thu, 21 Sep 2023 14:58:11 GMT
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

63.54.185.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.54.185.54.in-addr.arpa

IN PTR

Response

63.54.185.54.in-addr.arpa

IN PTR

ec2-54-185-54-63 us-west-2compute amazonawscom
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

188.109.115.212.in-addr.arpa

Remote address:

8.8.8.8:53

Request

188.109.115.212.in-addr.arpa

IN PTR

Response

127.0.0.1:60782

firefox.exe
34.117.237.239:443

https://contile.services.mozilla.com/v1/tiles

tls, http2

firefox.exe

1.5kB
7.5kB
11
15

HTTP Request

GET https://contile.services.mozilla.com/v1/tiles
34.120.5.221:443

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=IE&count=30

tls, http2

firefox.exe

1.6kB
13.5kB
11
19

HTTP Request

GET https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=IE&count=30
34.160.144.191:443

content-signature-2.cdn.mozilla.net

tls

firefox.exe

1.4kB
5.4kB
11
12
212.115.109.188:80

virtualyoga.mom

firefox.exe

352 B
44 B
7
1
212.115.109.188:80

http://virtualyoga.mom/Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg

http

firefox.exe

1.6kB
44 B
9
1

HTTP Request

GET http://virtualyoga.mom/Y2w/NTQ3MV9k/Ng/NzMwMTY/MTEx/MTA5/MTUyNTg
54.185.54.63:443

shavar.services.mozilla.com

tls

firefox.exe

2.2kB
4.1kB
10
9
34.149.100.209:443

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US

tls, http2

firefox.exe

1.6kB
5.7kB
10
11

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
212.115.109.188:80

virtualyoga.mom

firefox.exe

260 B
5
34.117.65.55:443

https://push.services.mozilla.com/

tls, http

firefox.exe

1.6kB
5.8kB
8
10

HTTP Request

GET https://push.services.mozilla.com/

HTTP Response

101
127.0.0.1:60790

firefox.exe

8.8.8.8:53

126.177.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

126.177.238.8.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

virtualyoga.mom

dns

firefox.exe

61 B
77 B
1
1

DNS Request

virtualyoga.mom

DNS Response

212.115.109.188
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
90 B
1
1

DNS Request

contile.services.mozilla.com

DNS Response

34.117.237.239
8.8.8.8:53

getpocket.cdn.mozilla.net

dns

firefox.exe

71 B
174 B
1
1

DNS Request

getpocket.cdn.mozilla.net

DNS Response

34.120.5.221
8.8.8.8:53

content-signature-2.cdn.mozilla.net

dns

firefox.exe

81 B
235 B
1
1

DNS Request

content-signature-2.cdn.mozilla.net

DNS Response

34.160.144.191
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
90 B
1
1

DNS Request

contile.services.mozilla.com

DNS Response

34.117.237.239
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.120.5.221
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
155 B
1
1

DNS Request

contile.services.mozilla.com
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
110 B
1
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:524c::
8.8.8.8:53

shavar.services.mozilla.com

dns

firefox.exe

73 B
157 B
1
1

DNS Request

shavar.services.mozilla.com

DNS Response

54.185.54.63

34.214.148.106

44.240.83.93
8.8.8.8:53

push.services.mozilla.com

dns

firefox.exe

71 B
125 B
1
1

DNS Request

push.services.mozilla.com

DNS Response

34.117.65.55
8.8.8.8:53

virtualyoga.mom

dns

firefox.exe

61 B
77 B
1
1

DNS Request

virtualyoga.mom

DNS Response

212.115.109.188
8.8.8.8:53

firefox.settings.services.mozilla.com

dns

firefox.exe

83 B
161 B
1
1

DNS Request

firefox.settings.services.mozilla.com

DNS Response

34.149.100.209
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

44.240.83.93

54.185.54.63

34.214.148.106
8.8.8.8:53

autopush.prod.mozaws.net

dns

firefox.exe

70 B
86 B
1
1

DNS Request

autopush.prod.mozaws.net

DNS Response

34.117.65.55
8.8.8.8:53

virtualyoga.mom

dns

firefox.exe

61 B
134 B
1
1

DNS Request

virtualyoga.mom
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

autopush.prod.mozaws.net

dns

firefox.exe

70 B
155 B
1
1

DNS Request

autopush.prod.mozaws.net
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

63.54.185.54.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

63.54.185.54.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

188.109.115.212.in-addr.arpa

dns

74 B
154 B
1
1

DNS Request

188.109.115.212.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ob75hbeb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
e8671c57943a5e91325a0f53beb2324f

SHA1
58c6add98569dfd950d3a1dc00ceaed6d4578873

SHA256
3b9db0345f1332faafbb7336008d7e6ee5932a5b72f793f7182f2871842288f0

SHA512
fdb302145c2f14052bb2b2b29ab9b8ef263f746107f3ce2f1957e5a164b16cd6c86f208277ed297e7e08b1328c78088d75ab9bf48751717663afb97368b04d5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
990B

MD5
0535929af81ea7f13301c1139fcaeb8a

SHA1
5e49b87e1973d49ee2da00fa5da9c835bc7f41f1

SHA256
b8939c92ac8cd3057feb80754f682bfc66480ad44ffb7f21657ce220e4c939f3

SHA512
b2bfad62321e668f94deade09612268fad25776b7731d699b83009aa0d5d9c02945c5a27efe8045b6424f04e4d57ab2f46c2229a7e4679af656c292643b7964c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.