Malware Analysis Report

2024-11-13 15:43

Sample ID 231111-qw4c9afh6w
Target https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa
Tags
mercurialgrabber evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber evasion spyware stealer

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Maps connected drives based on registry

NTFS ADS

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 13:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 13:37

Reported

2023-11-11 13:40

Platform

win10v2004-20231023-en

Max time kernel

158s

Max time network

164s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
N/A N/A C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip4.seeip.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Archive.7z:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Archive(1).7z:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Archive\rbxgen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3868 wrote to memory of 3308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 3196 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 3196 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 2028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.0.365464597\1105341842" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1cdf5f-369e-4b1a-9c88-3f9ae146f263} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 1944 1ddafd15b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.1.654678349\1740768646" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d8cfa2-db34-43c5-859d-f13f2b0c2463} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 2368 1ddaeaf0a58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.2.592354202\770753706" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2980 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74a8c7f8-558a-4884-adc5-d2f618071469} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3068 1ddb2e27d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.3.1718297424\853477937" -childID 2 -isForBrowser -prefsHandle 3756 -prefMapHandle 3744 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3db3a3db-a4ac-4d69-9f36-59dca15dcb48} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3780 1dd9b16c858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.5.1102786328\1181814385" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051b3ca6-52de-40d7-8f60-ab04f0f818b2} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4988 1ddb5087a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.6.145596445\1221511835" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5136 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7de369be-aa77-4442-bef1-10cc3ca1ffc1} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5252 1ddb50bb058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.4.977141970\1705630305" -childID 3 -isForBrowser -prefsHandle 4788 -prefMapHandle 4796 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8be740a9-72fe-4864-a11a-9de42bcb0489} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4832 1ddb4e56d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.7.949519804\1260576102" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b297f46-d0a8-47af-838e-138ad2919f8a} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5760 1ddb7098c58 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Archive\" -spe -an -ai#7zMap1869:74:7zEvent30926

C:\Users\Admin\Downloads\Archive\rbxgen.exe

"C:\Users\Admin\Downloads\Archive\rbxgen.exe"

C:\Users\Admin\Downloads\Archive\rbxgen.exe

"C:\Users\Admin\Downloads\Archive\rbxgen.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:62464 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1cvyl2-my.sharepoint.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 13.107.136.10:443 1cvyl2-my.sharepoint.com tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 dual-spo-0005.spo-msedge.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 10.136.107.13.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 dual-spo-0005.spo-msedge.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 35.167.95.175:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 93.243.107.34.in-addr.arpa udp
US 8.8.8.8:53 175.95.167.35.in-addr.arpa udp
US 35.167.95.175:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 shell.cdn.office.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 e19254.dscg.akamaiedge.net udp
NL 104.81.140.174:443 e19254.dscg.akamaiedge.net tcp
US 8.8.8.8:53 e19254.dscg.akamaiedge.net udp
US 8.8.8.8:53 res-1.cdn.office.net udp
NL 104.110.240.43:443 res-1.cdn.office.net tcp
US 8.8.8.8:53 e40491.dscd.akamaiedge.net udp
NL 104.110.240.43:443 res-1.cdn.office.net tcp
NL 104.110.240.43:443 res-1.cdn.office.net udp
US 8.8.8.8:53 174.140.81.104.in-addr.arpa udp
US 8.8.8.8:53 43.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
N/A 127.0.0.1:62474 tcp
US 8.8.8.8:53 mobile.events.data.microsoft.com udp
US 20.42.65.91:443 mobile.events.data.microsoft.com tcp
US 20.42.65.91:443 mobile.events.data.microsoft.com tcp
US 8.8.8.8:53 onedscolprdeus17.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdeus17.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdwus03.westus.cloudapp.azure.com udp
US 20.189.173.4:443 onedscolprdwus03.westus.cloudapp.azure.com tcp
US 20.189.173.4:443 onedscolprdwus03.westus.cloudapp.azure.com tcp
US 8.8.8.8:53 onedscolprdwus03.westus.cloudapp.azure.com udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 mobile.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdeus04.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdeus04.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 e40491.dscd.akamaiedge.net udp
US 8.8.8.8:53 mobile.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdeus07.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdeus07.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 mobile.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdeus17.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdeus17.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 mobile.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdcus09.centralus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdcus09.centralus.cloudapp.azure.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 141.64.128.23.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\err804pm.default-release\activity-stream.discovery_stream.json.tmp

MD5 248b6361dfd560480f44610e43ed847d
SHA1 4874d418c9e9ff5dc00ecc1eb2135f7b665d7a71
SHA256 014b64121ecd232bb5c39bae5fa8383b09db0e0dc9cf31fb3bfdc52b46b29043
SHA512 b2470cea300c021603eb88b85e8d7079937529d53a90e22f4c731ab7848983d70a210265e7c585f4cbbe371be8d08d8701e9a00fac61c4e9893ececfcf4dca0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs-1.js

MD5 e53a6734a92b567c525097c8b7e8b009
SHA1 f88c0147f2fa284952198b15df774f7d95744371
SHA256 8e938c3a9ee6c6a939ca6fe8cc58365baf5f62ca1d622ee5e0e61471606494ee
SHA512 2823ed66dfb1bc30b44707ed446ca84e023cf812472aaaf03f5a50108decaf661626f0fe7f5f209940f79db31dc8111c2d9cf1584bf2a9b75aa51e4eb9098b66

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\cache\morgue\73\{ec16874b-1a1c-4a2b-a15c-5fd650f49f49}.final

MD5 6a992e9294a845a4331501eb759c0039
SHA1 3cd2061b7792f2584735bdf144866662968131de
SHA256 745ddd45bd380f03d3cd13a5267e051ea1f98337cc9059bc1a3afebb0c757d5c
SHA512 cf4b98e1c4beed09cbf41ddd0c94178ab37a7099d570a075db1a86ef4d2c4cf9348c425b45a7c1584293f2ef0bf2612be2bb2e9f552e1d5c3d4b00f77aaddcd4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\3217723701OBDDS_P.sqlite

MD5 062a69a186f75831215cfb20fcc870db
SHA1 fc92d46bb0a0355fb7f1c63084a41c086606849c
SHA256 b2b429164afbd3e611cf7e5665b79ba2e3c0d321c342b6748087182374d9de9e
SHA512 fb45d90ff95d4ef2aa52743d6c9ccb8abc4ae5cbd6cb9193a0ab372c7b7ddb27426fa0f8067466be4a7f610ca3b69bf315f3877062dd20ebd126e7bc9d6fb234

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\276181416SyWr.tTeemle.sqlite-wal

MD5 e203fdbb05ac350641c72cd957baab7b
SHA1 2378b2d87c9ff574df9ba900b26c6d00832269df
SHA256 47d4325a5fab7f571da9ff466e8149c05b6512220af8223b77d69d7ac81d1cbf
SHA512 0cf10f868c867b62fda56d988e25b3071f00f63a2646ef8603a94246de6f53f265d6ece062f052f666018ef9ba3e7b7a109acd6ac64844159c847948e2113d46

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0acdd6893775f4f973db634880f96199
SHA1 78ee570c855a08bf6db8143ba2c0db88946bd0ba
SHA256 3aae3fcf6498f844da94bc8421d9e2347274261bbb8848eee5848c870cd6bf76
SHA512 be22cecb24f09a726ef2c204f320885e02106d05e2811506744759403ef0b93bb5e1aff79d5fb7e2504494c500f3e25e9ac783e4a79997b7016e04cc0ad4a282

C:\Users\Admin\Downloads\iK_2y4xl.7z.part

MD5 50db46bdb3624dc6eade9d0fcbfe602c
SHA1 8d52e704d39213065155354cca5d52aef5408ed0
SHA256 bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9
SHA512 e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5200240cafb83f3b9a8c37a50edced1d
SHA1 1994a117db0ce4e5d1ecdaebcb01d0174186d2e2
SHA256 e71e2eca9446ea56ff153cef1928b6d90f48a38a17dab454f51a5f738b90431d
SHA512 8c293a39fe0730bff52217709b3ca808959bf382415d7e5e82ea0728a1c22cfe1f3b42cf706f0d5634e4543276ed9ce74540699484da5925cbd7ee908c6e725f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f10d634663436ef0e53cef0e03ed81d3
SHA1 eb8bc6aee3fc8edfe4aa7a8cd5f4c74320e038a3
SHA256 1ae98b497426f65b8a61a7732934c5db1a05026d62c948c44c4ef00fe0eca58f
SHA512 6e71cf5c9baf25feee2c99a504b3f615e7185c345375a2759f8182c735896661ddba3e5d3e66ccc8486b9ef8257714286e2f52fb37ba99a238da49ba163965e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionCheckpoints.json.tmp

MD5 e6c20f53d6714067f2b49d0e9ba8030e
SHA1 f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA256 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore.jsonlz4

MD5 3d580a7d2708230799a7c734016805e3
SHA1 b7b015467d08a725a1d16751a3cb637b205dd554
SHA256 e4cae90b6333d0c17e948feb103e8a23046b62066391f24ee81b578709494fce
SHA512 8aa20fae0e3cf031919b27ef1893a205922db5fa79a60ee90bf0720daaed9369d7a780a32b1d04222562051c8064ec2452dba33223df86803f723c862d3251c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs-1.js

MD5 671022480aa40a352614634e2c8c8425
SHA1 5b29bc014c45ab3f48e46b06abc8223136e617b4
SHA256 3f1a33dfe63d378c1605c1738acda372e281680836dd17f39c125e8cb6bc0ac7
SHA512 a169cb47ceb1e99f48b5449ccab1d093dcd33bf144d32f55ef98347b8c30bc80e0e3d1878007679fd715a941c54b7b355988636c4adcfedc0c7138c73c2a5c2d

C:\Users\Admin\Downloads\Archive(1).7z

MD5 50db46bdb3624dc6eade9d0fcbfe602c
SHA1 8d52e704d39213065155354cca5d52aef5408ed0
SHA256 bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9
SHA512 e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd

C:\Users\Admin\Downloads\Archive.7z

MD5 50db46bdb3624dc6eade9d0fcbfe602c
SHA1 8d52e704d39213065155354cca5d52aef5408ed0
SHA256 bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9
SHA512 e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd

C:\Users\Admin\Downloads\Archive\rbxgen.exe

MD5 4b5098e511b13ff333b0c9bf4aeda73d
SHA1 0d87e54d39ace7fc85fbe4aecad754c5d536a94b
SHA256 8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371
SHA512 b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a

C:\Users\Admin\Downloads\Archive\rbxgen.exe

MD5 4b5098e511b13ff333b0c9bf4aeda73d
SHA1 0d87e54d39ace7fc85fbe4aecad754c5d536a94b
SHA256 8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371
SHA512 b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a

memory/3580-1228-0x0000000000580000-0x00000000005A6000-memory.dmp

memory/3580-1229-0x00007FF91B650000-0x00007FF91C111000-memory.dmp

memory/3580-1230-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/3580-1234-0x00007FF91B650000-0x00007FF91C111000-memory.dmp

C:\Users\Admin\Downloads\Archive\rbxgen.exe

MD5 4b5098e511b13ff333b0c9bf4aeda73d
SHA1 0d87e54d39ace7fc85fbe4aecad754c5d536a94b
SHA256 8e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371
SHA512 b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a

memory/4744-1236-0x00007FF91B650000-0x00007FF91C111000-memory.dmp

memory/4744-1237-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

memory/4744-1241-0x00007FF91B650000-0x00007FF91C111000-memory.dmp