hxxps://links[.]newerainvestor[.]com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877

Analysis

max time kernel
0s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
08/01/2024, 18:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://links.newerainvestor.com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 2928 wrote to memory of 3700	2928	firefox.exe	17
PID 2928 wrote to memory of 3700	2928	firefox.exe	17

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://links.newerainvestor.com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.0.282049474\1487408614" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e96353f-fe68-4ff4-9643-a4b3b8c81096} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1860 29cff7d7b58 gpu
  2⤵
  PID:3700
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.1.2128763367\425079546" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03caaf00-cf43-4629-9ffa-0afd01997a5a} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 2264 29c883d0e58 socket
  2⤵
  PID:5048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.2.1803052082\1981258922" -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 2848 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f2b942-ceb0-4b7c-95ed-a0a54ce61804} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 2724 29c8b1d3a58 tab
  2⤵
  PID:1444
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.3.1413340234\1618893304" -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57ce9f15-b51d-4ed6-82e5-c1aa28cef634} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 3540 29c8c2ead58 tab
  2⤵
  PID:1680
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.5.1754084648\2041908654" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d7da44-74fa-414c-afe1-789be83bb533} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 5124 29c8de85258 tab
  2⤵
  PID:1284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.6.1185127971\1059027352" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0e1d63-7c3e-4cb6-b0bf-d0fd66e5090d} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 5008 29c8de88b58 tab
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.4.1828296670\969746666" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4888 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b45e93c-5eb0-4fb6-9b16-1cd0c4af9634} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 4936 29c8d3ddb58 tab
  2⤵
  PID:1852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://links.newerainvestor.com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877"
1⤵
PID:4272

Network

DNS

links.newerainvestor.com

Remote address:

8.8.8.8:53

Request

links.newerainvestor.com

IN A

Response

links.newerainvestor.com

IN CNAME

api-us1.chd01.com

api-us1.chd01.com

IN A

35.238.129.105
DNS

links.newerainvestor.com

Remote address:

8.8.8.8:53

Request

links.newerainvestor.com

IN A
DNS

links.newerainvestor.com

Remote address:

8.8.8.8:53

Request

links.newerainvestor.com

IN A
DNS

contile.services.mozilla.com

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.237.239
DNS

contile.services.mozilla.com

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A
DNS

content-signature-2.cdn.mozilla.net

Remote address:

8.8.8.8:53

Request

content-signature-2.cdn.mozilla.net

IN A

Response

content-signature-2.cdn.mozilla.net

IN CNAME

content-signature-chains.prod.autograph.services.mozaws.net

content-signature-chains.prod.autograph.services.mozaws.net

IN CNAME

prod.content-signature-chains.prod.webservices.mozgcp.net

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

content-signature-2.cdn.mozilla.net

Remote address:

8.8.8.8:53

Request

content-signature-2.cdn.mozilla.net

IN A
DNS

shavar.services.mozilla.com

Remote address:

8.8.8.8:53

Request

shavar.services.mozilla.com

IN A

Response

shavar.services.mozilla.com

IN CNAME

shavar.prod.mozaws.net

shavar.prod.mozaws.net

IN A

34.213.155.5

shavar.prod.mozaws.net

IN A

44.239.151.67

shavar.prod.mozaws.net

IN A

52.24.152.80
DNS

shavar.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

34.213.155.5

shavar.prod.mozaws.net

IN A

52.24.152.80

shavar.prod.mozaws.net

IN A

44.239.151.67
DNS

shavar.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

login.live.com

Remote address:

8.8.8.8:53

Request

login.live.com

IN A

Response

login.live.com

IN CNAME

login.msa.msidentity.com

login.msa.msidentity.com

IN CNAME

www.tm.lg.prod.aadmsa.akadns.net

www.tm.lg.prod.aadmsa.akadns.net

IN CNAME

prdv4a.aadg.msidentity.com

prdv4a.aadg.msidentity.com

IN CNAME

www.tm.v4.a.prd.aadg.trafficmanager.net

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.146

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.147

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.84

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.85

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.19

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.20

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.149

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.177.22
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

96.17.178.206

a767.dspw65.akamai.net

IN A

96.17.178.186

a767.dspw65.akamai.net

IN A

96.17.178.192

a767.dspw65.akamai.net

IN A

96.17.178.204

a767.dspw65.akamai.net

IN A

96.17.178.185

a767.dspw65.akamai.net

IN A

96.17.178.208

a767.dspw65.akamai.net

IN A

96.17.178.187

a767.dspw65.akamai.net

IN A

96.17.178.194

a767.dspw65.akamai.net

IN A

96.17.178.196
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A
DNS

push.services.mozilla.com

Remote address:

8.8.8.8:53

Request

push.services.mozilla.com

IN A

Response

push.services.mozilla.com

IN CNAME

autopush.prod.mozaws.net

autopush.prod.mozaws.net

IN A

34.107.243.93
DNS

autopush.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN A

Response

autopush.prod.mozaws.net

IN A

34.107.243.93
DNS

autopush.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN AAAA

Response
DNS

push.services.mozilla.com

Remote address:

8.8.8.8:53

Request

push.services.mozilla.com

IN A

Response

push.services.mozilla.com

IN CNAME

autopush.prod.mozaws.net

autopush.prod.mozaws.net

IN A

34.107.243.93
DNS

5.155.213.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.155.213.34.in-addr.arpa

IN PTR

Response

5.155.213.34.in-addr.arpa

IN PTR

ec2-34-213-155-5 us-west-2compute amazonawscom
DNS

contile.services.mozilla.com

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.237.239
DNS

contile.services.mozilla.com

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A
DNS

firefox.settings.services.mozilla.com

Remote address:

8.8.8.8:53

Request

firefox.settings.services.mozilla.com

IN A

Response

firefox.settings.services.mozilla.com

IN CNAME

prod.remote-settings.prod.webservices.mozgcp.net

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A
DNS

146.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.177.190.20.in-addr.arpa

IN PTR

Response
DNS

api-us1.chd01.com

Remote address:

8.8.8.8:53

Request

api-us1.chd01.com

IN A

Response

api-us1.chd01.com

IN A

35.238.129.105
DNS

api-us1.chd01.com

Remote address:

8.8.8.8:53

Request

api-us1.chd01.com

IN AAAA

Response
DNS

105.129.238.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.129.238.35.in-addr.arpa

IN PTR

Response

105.129.238.35.in-addr.arpa

IN PTR

10512923835bcgoogleusercontentcom
DNS

105.129.238.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.129.238.35.in-addr.arpa

IN PTR
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A
DNS

contile.services.mozilla.com

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN AAAA

Response
DNS

206.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.178.17.96.in-addr.arpa

IN PTR

Response

206.178.17.96.in-addr.arpa

IN PTR

a96-17-178-206deploystaticakamaitechnologiescom
DNS

206.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.178.17.96.in-addr.arpa

IN PTR
DNS

234.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.187.250.142.in-addr.arpa

IN PTR

Response

234.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f101e100net
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com

IN A

20.31.169.57
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

prod.balrog.prod.cloudops.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

201.181.244.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.181.244.35.in-addr.arpa

IN PTR

Response

201.181.244.35.in-addr.arpa

IN PTR

20118124435bcgoogleusercontentcom
DNS

201.181.244.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.181.244.35.in-addr.arpa

IN PTR
DNS

ciscobinary.openh264.org

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

a19.dscg10.akamai.net

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

a19.dscg10.akamai.net

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:869b

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:86d1
DNS

209.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.134.221.88.in-addr.arpa

IN PTR

Response

209.134.221.88.in-addr.arpa

IN PTR

a88-221-134-209deploystaticakamaitechnologiescom
DNS

redirector.gvt1.com

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.180.14
DNS

redirector.gvt1.com

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A
DNS

redirector.gvt1.com

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A
GET

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

Remote address:

88.221.134.209:80

Request

GET /openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 200 OK

Last-Modified: Thu, 16 Nov 2023 07:38:17 GMT
ETag: 85430baed3398695717b0263807cf97c
Content-Length: 453023
Accept-Ranges: bytes
X-Timestamp: 1700120296.01123
Content-Type: application/zip
X-Trans-Id: tx83dabe2b359f4df0880f4-00655605b9dfw1
Cache-Control: public, max-age=240782
Expires: Thu, 11 Jan 2024 13:27:03 GMT
Date: Mon, 08 Jan 2024 18:34:01 GMT
Connection: keep-alive
DNS

redirector.gvt1.com

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.180.14
DNS

redirector.gvt1.com

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA
DNS

redirector.gvt1.com

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA
DNS

redirector.gvt1.com

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA
DNS

r1---sn-aigzrnsz.gvt1.com

Remote address:

8.8.8.8:53

Request

r1---sn-aigzrnsz.gvt1.com

IN A

Response

r1---sn-aigzrnsz.gvt1.com

IN CNAME

r1.sn-aigzrnsz.gvt1.com

r1.sn-aigzrnsz.gvt1.com

IN A

74.125.175.166
DNS

r1---sn-aigzrnsz.gvt1.com

Remote address:

8.8.8.8:53

Request

r1---sn-aigzrnsz.gvt1.com

IN A
DNS

14.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.180.250.142.in-addr.arpa

IN PTR

Response

14.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f141e100net
DNS

r1.sn-aigzrnsz.gvt1.com

Remote address:

8.8.8.8:53

Request

r1.sn-aigzrnsz.gvt1.com

IN A

Response

r1.sn-aigzrnsz.gvt1.com

IN A

74.125.175.166
DNS

r1.sn-aigzrnsz.gvt1.com

Remote address:

8.8.8.8:53

Request

r1.sn-aigzrnsz.gvt1.com

IN AAAA

Response

r1.sn-aigzrnsz.gvt1.com

IN AAAA

2a00:1450:4009:1b::6
DNS

r1.sn-aigzrnsz.gvt1.com

Remote address:

8.8.8.8:53

Request

r1.sn-aigzrnsz.gvt1.com

IN AAAA
DNS

166.175.125.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.175.125.74.in-addr.arpa

IN PTR

34.213.155.5:443

shavar.services.mozilla.com

tls

5.0kB
4.2kB
14
10
34.149.100.209:443

firefox.settings.services.mozilla.com

tls

3.3kB
35.5kB
34
45
34.107.243.93:443

push.services.mozilla.com

tls

1.9kB
6.0kB
11
12
34.107.243.93:443

push.services.mozilla.com

tls

1.6kB
4.9kB
11
9
34.160.144.191:443

content-signature-2.cdn.mozilla.net

tls

1.6kB
5.5kB
15
13
34.117.237.239:443

contile.services.mozilla.com

tls

1.8kB
7.7kB
15
14
34.160.144.191:443

prod.content-signature-chains.prod.webservices.mozgcp.net

52 B
1
34.117.237.239:443

contile.services.mozilla.com

52 B
1
35.238.129.105:443

links.newerainvestor.com

tls

5.7kB
10.9kB
19
16
34.149.100.209:443

firefox.settings.services.mozilla.com

tls

1.0kB
5.3kB
11
10
35.238.129.105:443

links.newerainvestor.com

tls

1.1kB
665 B
10
7
35.238.129.105:443

links.newerainvestor.com

tls

2.2kB
3.3kB
11
10
204.79.197.200:443

tse1.mm.bing.net

tls

1.0kB
8.2kB
10
13
204.79.197.200:443

tse1.mm.bing.net

tls

1.1kB
8.3kB
12
14
204.79.197.200:443

tse1.mm.bing.net

tls

1.1kB
8.4kB
12
15
204.79.197.200:443

tse1.mm.bing.net

tls

27.0kB
1.2MB
537
848
204.79.197.200:443

tse1.mm.bing.net

tls

1.3kB
8.2kB
16
13
127.0.0.1:49775

firefox.exe
35.244.181.201:443

aus5.mozilla.org

tls

2.2kB
5.5kB
16
13
34.160.144.191:443

content-signature-2.cdn.mozilla.net

tls

1.8kB
11.8kB
18
20
88.221.134.209:80

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

http

17.8kB
468.9kB
272
345

HTTP Request

GET http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

HTTP Response

200
142.250.180.14:443

redirector.gvt1.com

52 B
1
142.250.180.14:443

redirector.gvt1.com

tls

2.2kB
9.1kB
24
20
74.125.175.166:443

r1---sn-aigzrnsz.gvt1.com

tls

16.1kB
524.6kB
276
388

8.8.8.8:53

links.newerainvestor.com

dns

210 B
114 B
3
1

DNS Request

links.newerainvestor.com

DNS Request

links.newerainvestor.com

DNS Request

links.newerainvestor.com

DNS Response

35.238.129.105
8.8.8.8:53

contile.services.mozilla.com

dns

148 B
90 B
2
1

DNS Request

contile.services.mozilla.com

DNS Request

contile.services.mozilla.com

DNS Response

34.117.237.239
8.8.8.8:53

content-signature-2.cdn.mozilla.net

dns

162 B
235 B
2
1

DNS Request

content-signature-2.cdn.mozilla.net

DNS Request

content-signature-2.cdn.mozilla.net

DNS Response

34.160.144.191
8.8.8.8:53

shavar.services.mozilla.com

dns

407 B
1.1kB
6
5

DNS Request

shavar.services.mozilla.com

DNS Response

34.213.155.5

44.239.151.67

52.24.152.80

DNS Request

shavar.prod.mozaws.net

DNS Response

34.213.155.5

52.24.152.80

44.239.151.67

DNS Request

shavar.prod.mozaws.net

DNS Request

login.live.com

DNS Response

20.190.177.146

20.190.177.147

20.190.177.84

20.190.177.85

20.190.177.19

20.190.177.20

20.190.177.149

20.190.177.22

DNS Request

ctldl.windowsupdate.com

DNS Request

ctldl.windowsupdate.com

DNS Response

96.17.178.206

96.17.178.186

96.17.178.192

96.17.178.204

96.17.178.185

96.17.178.208

96.17.178.187

96.17.178.194

96.17.178.196
8.8.8.8:53

push.services.mozilla.com

dns

501 B
714 B
7
6

DNS Request

push.services.mozilla.com

DNS Response

34.107.243.93

DNS Request

autopush.prod.mozaws.net

DNS Response

34.107.243.93

DNS Request

autopush.prod.mozaws.net

DNS Request

push.services.mozilla.com

DNS Response

34.107.243.93

DNS Request

5.155.213.34.in-addr.arpa

DNS Request

contile.services.mozilla.com

DNS Request

contile.services.mozilla.com

DNS Response

34.117.237.239
8.8.8.8:53

firefox.settings.services.mozilla.com

dns

543 B
667 B
6
5

DNS Request

firefox.settings.services.mozilla.com

DNS Response

34.149.100.209

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

146.177.190.20.in-addr.arpa

dns

345 B
517 B
5
4

DNS Request

146.177.190.20.in-addr.arpa

DNS Request

api-us1.chd01.com

DNS Response

35.238.129.105

DNS Request

api-us1.chd01.com

DNS Request

105.129.238.35.in-addr.arpa

DNS Request

105.129.238.35.in-addr.arpa
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

229 B
299 B
3
2

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::

DNS Request

ocsp.digicert.com

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95
8.8.8.8:53

contile.services.mozilla.com

dns

218 B
292 B
3
2

DNS Request

contile.services.mozilla.com

DNS Request

206.178.17.96.in-addr.arpa

DNS Request

206.178.17.96.in-addr.arpa
8.8.8.8:53

234.187.250.142.in-addr.arpa

dns

345 B
604 B
5
4

DNS Request

234.187.250.142.in-addr.arpa

DNS Request

88.156.103.20.in-addr.arpa

DNS Request

arc.msn.com

DNS Response

20.31.169.57

DNS Request

57.169.31.20.in-addr.arpa

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

384 B
507 B
5
4

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209

DNS Request

201.181.244.35.in-addr.arpa

DNS Request

201.181.244.35.in-addr.arpa
8.8.8.8:53

ciscobinary.openh264.org

dns

472 B
728 B
7
5

DNS Request

ciscobinary.openh264.org

DNS Response

88.221.134.209

88.221.134.155

DNS Request

a19.dscg10.akamai.net

DNS Response

88.221.134.209

88.221.134.155

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:a1::58dd:869b

2a02:26f0:a1::58dd:86d1

DNS Request

209.134.221.88.in-addr.arpa

DNS Request

redirector.gvt1.com

DNS Request

redirector.gvt1.com

DNS Request

redirector.gvt1.com

DNS Response

142.250.180.14
8.8.8.8:53

redirector.gvt1.com

dns

260 B
81 B
4
1

DNS Request

redirector.gvt1.com

DNS Response

142.250.180.14

DNS Request

redirector.gvt1.com

DNS Request

redirector.gvt1.com

DNS Request

redirector.gvt1.com
142.250.180.14:443

redirector.gvt1.com

https

8.8kB
12.3kB
12
12
8.8.8.8:53

r1---sn-aigzrnsz.gvt1.com

dns

142 B
116 B
2
1

DNS Request

r1---sn-aigzrnsz.gvt1.com

DNS Request

r1---sn-aigzrnsz.gvt1.com

DNS Response

74.125.175.166
8.8.8.8:53

14.180.250.142.in-addr.arpa

dns

280 B
294 B
4
3

DNS Request

14.180.250.142.in-addr.arpa

DNS Request

r1.sn-aigzrnsz.gvt1.com

DNS Response

74.125.175.166

DNS Request

r1.sn-aigzrnsz.gvt1.com

DNS Request

r1.sn-aigzrnsz.gvt1.com

DNS Response

2a00:1450:4009:1b::6
8.8.8.8:53

166.175.125.74.in-addr.arpa

dns

73 B
1

DNS Request

166.175.125.74.in-addr.arpa
74.125.175.166:443

r1.sn-aigzrnsz.gvt1.com

https

1.9kB
5.8kB
6
5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d8b326bd7692c314ba6fee6059766416

SHA1
3c6b6764719508d95faf4c9e51a6ee8e96e82bed

SHA256
3ce28f7c75d1b30924caf0b25eafe5248487a8c70420b7b583d885b3b86c0248

SHA512
f3f3ef3534e16f1ac10f25bed007bb92d7f948044b544f5db040fa8957dc0c01dee536afad2eb31904e6671df5774a1cd846fa385d55e0d4527ef8663fc17cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\pending_pings\0e3f2b73-4959-4bdb-809f-9e1911040974

Filesize
9KB

MD5
2df4ff592fc271bfa8cfefaea9fcb286

SHA1
bbdea8a828d96d27d74aad981c125d536389c423

SHA256
7c4c99446749a5ebe5623f866309e11e9972fac146ca0caa8ed662ceb47906ea

SHA512
de17a94a7ef5cf3d346c0709aa4903e017e9ea9d892338344056be18642da36b2250c2e6370e745186f77bc56e57f410a9cd6973f56abfea5418e196aee7c824

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\pending_pings\1c2bebe1-5f94-44e4-b196-b014ea80693e

Filesize
746B

MD5
df09a347cc012d1a7b3326609bf9158f

SHA1
78e860e58d3100f4054afcce9aaa90494f75595c

SHA256
e17d19727529eab9fc38f661422fadf06ae29426869d243fe1f202725bd68946

SHA512
7f9da4764e23812ce739b1351e524a8556c6559c9f359ee9ad61471d90d8a438dd663307d3d866e9cd1fab1e897dd99980efc487ed7d6e200e8fdde31d8a6fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\prefs-1.js

Filesize
6KB

MD5
497005c593f887f91859a48ff4a284bf

SHA1
a75c41c61a04c38235eb453d8508258361110aa7

SHA256
4939298e69ba307471282ae3039c9d74f1ca9c304829938e6e061e322b751a37

SHA512
b7954efc0e2cd2957ef21a8e334c78b7800c6b35d64fb7d08bfde02095f0991b369f3e8652e797a122daac5722b7a54cae857b2ee9ac618aeaa6998d756b0af1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
1d446ce4bc1d9093006542cfb50c234d

SHA1
b522fd332bab4d7972da8ba94a8c932cc2021f88

SHA256
d8ed7db0f1a916357ab2d7e142555f2879cd3156863efb7a0fe066b97f25e583

SHA512
ae39e23819d3880e995b6b2a83ce0f9cb4673af2b71cf700d1f61fd54200ccbc6bb01c85bfd4c9ea603a07c5804f9ba0e7ffa60aa8df9b27182661e205a49b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
a90e4d9450cb3baf32ea3ec1aab1254f

SHA1
f34bee6ddf9fa10aebc271d11d3bd672f0cf6f42

SHA256
281b2d9f1c0c94cba9d8b8b9a58f3ca43077d047c1cfa38e70b3990d1565e51d

SHA512
d2b39fecd2dc7ea7abfc0eb45fdc01c033f31d59f68a227245219d94a2538b71f306570d12a75f58c7bec7a81145d9f799a831861bf238d1b632ed2f3f5b41db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request