Malware Analysis Report

2024-11-30 11:59

Sample ID 231022-vljy3sdc42
Target RobloxUWP2597.663cerealwithmilkMsixbundle.exe.exe
SHA256 da508f5e7ea0a1724a25f5fe447dd043752fbbfdcece88f507278e9c71ba7821
Tags
pyinstaller pysilon upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da508f5e7ea0a1724a25f5fe447dd043752fbbfdcece88f507278e9c71ba7821

Threat Level: Known bad

The file RobloxUWP2597.663cerealwithmilkMsixbundle.exe.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon upx

Detect Pysilon

Pysilon family

UPX packed file

Loads dropped DLL

Unsigned PE

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-22 17:04

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-22 17:04

Reported

2023-10-22 17:10

Platform

win7-20230831-de

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-22 17:04

Reported

2023-10-22 17:11

Platform

win10v2004-20231020-de

Max time kernel

132s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3744 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe
PID 3744 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4972 wrote to memory of 1852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4264 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1852 wrote to memory of 4192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxUWP2597.663cerealwithmilkMsixbundle.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.0.1588747658\1652265682" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa0c004-b0df-4acf-8d90-f2f8b61044e7} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 1996 174b3fede58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.1.200759393\1158382449" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05a22fc8-daba-420d-80e0-940c47fa285f} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 2376 174b3efa258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.2.1733085330\2073161005" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 2948 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {810cdd2d-66d3-428e-9c78-39fd3b4db18e} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 3080 174b809b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.3.1655937557\1254605734" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07cef7bf-7ba6-496f-83c3-1a85a1e21fb6} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 3600 174b8f28458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.4.1296051842\443304143" -childID 3 -isForBrowser -prefsHandle 4204 -prefMapHandle 4200 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c1c4e0d-82e5-45bf-ace5-be9b1b462bb8} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 4216 174b9446f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.5.316431971\866637717" -childID 4 -isForBrowser -prefsHandle 4996 -prefMapHandle 5008 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24b22595-eb57-4c74-9b46-347fc0da612b} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 4964 174a7864158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.7.18008809\298201266" -childID 6 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1ef2389-51a5-4237-b068-2c73dfde103c} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 5436 174ba6ad758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.6.592582350\1601496351" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b84a93-b837-46d6-9213-dac74bb9115c} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 5328 174ba13b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1852.8.249100393\311198173" -childID 7 -isForBrowser -prefsHandle 5904 -prefMapHandle 5900 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a794a66-fbf1-44f9-b141-cbc541a2b54f} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" 5912 174bc0c2258 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:49907 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 35.161.136.59:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 59.136.161.35.in-addr.arpa udp
N/A 127.0.0.1:49913 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI37442\python312.dll

MD5 86d9b8b15b0340d6ec235e980c05c3be
SHA1 a03bdd45215a0381dcb3b22408dbc1f564661c73
SHA256 12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6
SHA512 d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

C:\Users\Admin\AppData\Local\Temp\_MEI37442\python312.dll

MD5 86d9b8b15b0340d6ec235e980c05c3be
SHA1 a03bdd45215a0381dcb3b22408dbc1f564661c73
SHA256 12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6
SHA512 d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

memory/2028-32-0x00007FFF07840000-0x00007FFF07F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37442\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI37442\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI37442\base_library.zip

MD5 3909f1a45b16c6c6ef797032de7e3b61
SHA1 5a243f6c8db11bf401aeac69f4c2a0c6cd63b3a8
SHA256 56cce68da6a7ebd11aab4b4a4e6a164647b42b29ae57656532c530d1e22e5b44
SHA512 647e343eb9732150c0fd12c7142a960ede969b41d5a567940e89636f021f0c0b3249b6cfc99c732190085bcae7aa077f8ac52c8e7fe7817d48a34489f0cd5148

memory/2028-36-0x00007FFF07840000-0x00007FFF07F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_ctypes.pyd

MD5 e7ef30080c1785baf2f9bb8cf5afe1b2
SHA1 b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79
SHA256 2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e
SHA512 c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_ctypes.pyd

MD5 e7ef30080c1785baf2f9bb8cf5afe1b2
SHA1 b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79
SHA256 2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e
SHA512 c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

memory/2028-39-0x00007FFF1DEF0000-0x00007FFF1DF15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37442\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI37442\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI37442\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

memory/2028-61-0x00007FFF1D750000-0x00007FFF1D75F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_wmi.pyd

MD5 6b20122fd1f6e011e9fb4b3cb105151c
SHA1 721c6a7fe92c2a98e18e90eb16c8f296c5208504
SHA256 ce3e86869dd5f35bc9cdb1f3eb03b1d0cdb32e0a01edcf8f45e8052a452df46a
SHA512 4a663379f3b0ab3fc34662215308ba23637b88129c6d778b7e6ef3cbf9853f71c4f30a92f84c2ebed40a380117f81569ed7bd6c059da1b6df013506c5221fbc0

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_hashlib.pyd

MD5 c8b153f0be8569ce2c2de3d55952d9c7
SHA1 0861d6dcd9b28abb8b69048caf3c073e94f87fdc
SHA256 af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58
SHA512 81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

C:\Users\Admin\AppData\Local\Temp\_MEI37442\crypto_clipper.json

MD5 28ace1f269a7b6ddc508fe2ef995eb89
SHA1 fc25b159929682bff11e6d3b413acba80300418a
SHA256 8011959661b3c6efee432bdc16b358de1c371aaccdbec068c9e65004262f988e
SHA512 4c1172eead25d9c6037729ad372975d545153213dba99e7308308f1f1c6594bb1322b6c1332e44bd3677458160211046762a5dbf72564e4c7d36f7371177dcd2

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_hashlib.pyd

MD5 c8b153f0be8569ce2c2de3d55952d9c7
SHA1 0861d6dcd9b28abb8b69048caf3c073e94f87fdc
SHA256 af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58
SHA512 81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_ssl.pyd

MD5 53996068ae9cf68619da8cb142410d5e
SHA1 9eb7465d6f22ab03dac04cfce668811a87e198f2
SHA256 cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf
SHA512 d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

C:\Users\Admin\AppData\Local\Temp\_MEI37442\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

memory/2028-64-0x00007FFF07840000-0x00007FFF07F10000-memory.dmp

memory/2028-66-0x00007FFF07310000-0x00007FFF07832000-memory.dmp

memory/2028-65-0x00007FFF17A80000-0x00007FFF17A95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_sqlite3.pyd

MD5 0fdedcb9b3a45152239ca4b1aea4b211
SHA1 1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92
SHA256 0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7
SHA512 8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_socket.pyd

MD5 f6d0876b14bca5a264ec231895d80072
SHA1 d68b662cfc247c07851ef0764fe9652e3e2c0981
SHA256 bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8
SHA512 1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_queue.pyd

MD5 fcbb24550f59068a37ea09a490923c8a
SHA1 1e51d9c156354e00909c9f016ddb392a832f8078
SHA256 de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8
SHA512 62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_overlapped.pyd

MD5 f14f9b9ffcd3ea9a5d1bcadc57e5095b
SHA1 4ff618d07f30efbc42b6fd2d7adcdb7d6409c966
SHA256 b52e73ccd4164594414ee57e4e7d9d8337d2260b47bef9a0547db1ae482d917c
SHA512 69b292040a8319b32e7849b487227de9d3fa915fb08fee72c1691a46036b6c9adac15c4049db25cd49d22f4df08faa7e5926f264d23493de6157bf47a335ce39

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_multiprocessing.pyd

MD5 a0d009556def6620998b32b1c00e30e9
SHA1 5ecb08222c5b4690f946623a26084e3eecd2a52a
SHA256 779daf36e38b9463d1158da62ccbde7e7210d78cbdf2ac3861f4435974f7889d
SHA512 85a888aa5a104d016e67818dbab8587140549c1374ec4df7aba6758c3306e0c5d3225ea13f8b83850e1d74a3580ab5a1a6bbdf7df7bedb545f7cb526f3206d23

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_lzma.pyd

MD5 bc2ebd2a95619ab14a16944b0ab8bde5
SHA1 c31ba45b911a2664fc622bb253374ab7512fc35a
SHA256 aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6
SHA512 86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_decimal.pyd

MD5 3923e27b9378da500039e996222ffee6
SHA1 a9280559a71abf390348e1b6a0fb1f2409649189
SHA256 0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e
SHA512 051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_bz2.pyd

MD5 85c70974fac8e621ed6e3e9a993fbd6f
SHA1 f83974e64aa57d7d027b815e95ebd7c8e45530f1
SHA256 610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6
SHA512 142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

C:\Users\Admin\AppData\Local\Temp\_MEI37442\_asyncio.pyd

MD5 dec44ffe7b2922cc46f8930d7c27943d
SHA1 1deece09643b5759559310f1e29ebf2545d8ccb7
SHA256 d8f3f8505a6ac7ad2b6268ddb44d6bb308b239f2e31dda7b850c49373550b21f
SHA512 182652fb4f7afda921b1217d2a731c3c4ca802f46b2f050d73344addd980a110c61b34e63eec66a975f8d72551640d00dde39a525d9ecdeaabd3d8c4af75fe47

C:\Users\Admin\AppData\Local\Temp\_MEI37442\unicodedata.pyd

MD5 427668e55e99222b3f031b46fb888f3a
SHA1 c9be630cb2536c20bbc6fc9ba4a57889cdb684bc
SHA256 9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831
SHA512 e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

C:\Users\Admin\AppData\Local\Temp\_MEI37442\sqlite3.dll

MD5 c6ed91b8fdb99eba4c099eb6d0eea5d9
SHA1 915b2d004f3f07cd18610e413b087568258da866
SHA256 e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80
SHA512 92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

C:\Users\Admin\AppData\Local\Temp\_MEI37442\select.pyd

MD5 cce3e60ec05c80f5f5ee014bc933554c
SHA1 468d2757b201d6259034215cfd912e8e883f4b9e
SHA256 84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100
SHA512 7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

C:\Users\Admin\AppData\Local\Temp\_MEI37442\pyexpat.pyd

MD5 f9e13d07ede0af5cd9ae01c43c25c1b2
SHA1 9526cfa305a316e311bd340b1aeef5ab19699839
SHA256 b1da90109b501b680b89878f3952988d1b1c7e367cb2a1d23e3424f33462c62a
SHA512 917c9377936c32fd3292091b6d005e31b61cc3be41ca3658c9a0232d392d877c398cb7993400d26bc7355bf03319c60f4572012a2fd5c4074f05bc4987a43839

C:\Users\Admin\AppData\Local\Temp\_MEI37442\libopus-0.x64.dll

MD5 17bed62f3389d532d3dfc59071bbd214
SHA1 2b0894cc48dd3756f0ff6602bf8c1e24cb8b6642
SHA256 4fd26640721088ac31fdac941db6fa3c094ca17bd97d240992969aefae19ff91
SHA512 976c5e0dd50487eb5f88c195633805cccbf34566496065eaf8f3ecbbea0300653097bfbbf628dbb2c238a4d552460187794bcebcb8d41452a3f873f0244fc6a4

C:\Users\Admin\AppData\Local\Temp\_MEI37442\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

memory/2028-67-0x00007FFF07840000-0x00007FFF07F10000-memory.dmp

memory/2028-68-0x00007FFF1DEF0000-0x00007FFF1DF15000-memory.dmp

memory/2028-70-0x00007FFF17A80000-0x00007FFF17A95000-memory.dmp

memory/2028-71-0x00007FFF07310000-0x00007FFF07832000-memory.dmp

memory/2028-102-0x00007FFF07840000-0x00007FFF07F10000-memory.dmp

memory/2028-103-0x00007FFF1DEF0000-0x00007FFF1DF15000-memory.dmp

memory/2028-104-0x00007FFF1D750000-0x00007FFF1D75F000-memory.dmp

memory/2028-105-0x00007FFF17A80000-0x00007FFF17A95000-memory.dmp

memory/2028-106-0x00007FFF07310000-0x00007FFF07832000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json.tmp

MD5 72243d069ecc2162ddb99b640989c9af
SHA1 4c459ea1321facd75f643daeb45a2042e0155072
SHA256 4e00d52fa093086920b3afdbb99952227b7e1a5c2f65394b0d7758df7a546bd7
SHA512 6d2882c5bb0e1db64482ef6672bf7ba5fed70ebf40ebea2be78edb4a13eb0e69f15cf2c87762902ee7430bb5df0e9420fd463a8045cee1cc61fb730b8296aa19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs.js

MD5 5e90d9a4c178a5ddddcb6c57d0e0638e
SHA1 71d7ba2ab199af9a9ceb3e50bd73860150c56310
SHA256 4647a1164570a23fc7191e2240f77342d634696fd5fb55bef89ca08df8a9d703
SHA512 96ce129b300d856c997765a6c343a1d216dda30c42a60694b532bb36b4d9b93694a6114eef443060f0043165da51511d3b856e0bf70a2c2d49b5f0e94c9567a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js

MD5 9b9ec63dd17981ae31a80197712da086
SHA1 9925121409966bdbf73aa7b63532bab7d22a9cdc
SHA256 b94593ae741112f527b43209d911155c2c90a86a57860ef2b33629fe8f118e57
SHA512 68a2e7d36e1cdc180476fbef8e5fe835917366b14fb1507c1c26de33b43bc75c71b5b3e232d3207732180c767005998ba736aeb60c32c3993e25062fc232e18d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 733c047d9e02cba18c9522aa4a3b1911
SHA1 139b2c034c882bddaff976ec19c59e69d8e45c5e
SHA256 d06c17ae7d00e5bd5fd10f624fb1e24a99474dd8c2e66721ccf3745692cf8b7b
SHA512 f8af14b4abc1d7d74c3135d33050fb713900c2f132aedba9c04ccd2474af4d327810779b3b06f31a5391a100a9350776b839dbeeb3b84fb557090558a6d2988c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore.jsonlz4

MD5 4bda733d8534ee5d8315ee2af46e9b3a
SHA1 cd1d5f1a0d0b7bc476e81af1e4f0c52034975578
SHA256 0336586557b177297516ed6a3755a434a867caa9aa40d5ca8e7249f532ad998d
SHA512 1097b4cb1941a953da0981972809564f8625a1ace5aa5b7613837e76fae3bf1e1f34928831ce5da7c47b1777bb0fec2964dbe5d40f74b8603b1339df61a4a004