Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

16/05/2024, 16:02 UTC

240516-thaqkacf53 8

16/05/2024, 15:21 UTC

240516-srd9nsaf9x 8

16/05/2024, 15:16 UTC

240516-snm3eaag66 8

Analysis

  • max time kernel
    9s
  • max time network
    11s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2024, 16:02 UTC

General

  • Target

    https://www.angusj.com/resourcehacker/reshacker_setup.exe

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.angusj.com/resourcehacker/reshacker_setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.angusj.com/resourcehacker/reshacker_setup.exe
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.0.1004542317\1931822946" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1812 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e08fdf78-a3f4-4d85-bcff-957aa97979d1} 388 "\\.\pipe\gecko-crash-server-pipe.388" 1892 1862340fe58 gpu
        3⤵
          PID:4772
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.1.2074557064\865863803" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54cab637-aa7e-4a49-b97f-9d739625ce3e} 388 "\\.\pipe\gecko-crash-server-pipe.388" 2488 1861668a858 socket
          3⤵
            PID:2416
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.2.421922996\1092934225" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 23198 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b39c8d2d-8543-4dfd-834c-91e59cb5c225} 388 "\\.\pipe\gecko-crash-server-pipe.388" 3004 1862624ea58 tab
            3⤵
              PID:1880
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.3.1663468406\118521779" -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3560 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5514d4ab-f380-4b77-a03e-6b2f295a38f4} 388 "\\.\pipe\gecko-crash-server-pipe.388" 3668 18627ebe158 tab
              3⤵
                PID:4452
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.4.1505332724\2065870968" -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5092 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ac420a-acc3-496b-b36a-c1c394043986} 388 "\\.\pipe\gecko-crash-server-pipe.388" 5108 1862695dd58 tab
                3⤵
                  PID:4280
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.5.1090475920\1093996933" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a2b2dbf-5260-4ea4-ad56-06bcb3734729} 388 "\\.\pipe\gecko-crash-server-pipe.388" 5244 186297bde58 tab
                  3⤵
                    PID:2320
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="388.6.311649821\1045529264" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f1709ad-cc62-4d6e-a612-76525105a294} 388 "\\.\pipe\gecko-crash-server-pipe.388" 5432 1862a5a6f58 tab
                    3⤵
                      PID:1404

                Network

                • flag-us
                  DNS
                  8.8.8.8.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  8.8.8.8.in-addr.arpa
                  IN PTR
                  Response
                  8.8.8.8.in-addr.arpa
                  IN PTR
                  dnsgoogle
                • flag-us
                  DNS
                  232.168.11.51.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  232.168.11.51.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  www.angusj.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  www.angusj.com
                  IN A
                  Response
                  www.angusj.com
                  IN CNAME
                  angusj.com
                  angusj.com
                  IN A
                  203.170.87.121
                • flag-us
                  DNS
                  contile.services.mozilla.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  contile.services.mozilla.com
                  IN A
                  Response
                  contile.services.mozilla.com
                  IN A
                  34.117.188.166
                • flag-us
                  DNS
                  spocs.getpocket.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  spocs.getpocket.com
                  IN A
                  Response
                  spocs.getpocket.com
                  IN CNAME
                  prod.ads.prod.webservices.mozgcp.net
                  prod.ads.prod.webservices.mozgcp.net
                  IN A
                  34.117.188.166
                • flag-us
                  DNS
                  getpocket.cdn.mozilla.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  getpocket.cdn.mozilla.net
                  IN A
                  Response
                  getpocket.cdn.mozilla.net
                  IN CNAME
                  getpocket-cdn.prod.mozaws.net
                  getpocket-cdn.prod.mozaws.net
                  IN CNAME
                  prod.pocket.prod.cloudops.mozgcp.net
                  prod.pocket.prod.cloudops.mozgcp.net
                  IN A
                  34.120.5.221
                • flag-us
                  DNS
                  content-signature-2.cdn.mozilla.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  content-signature-2.cdn.mozilla.net
                  IN A
                  Response
                  content-signature-2.cdn.mozilla.net
                  IN CNAME
                  content-signature-chains.prod.autograph.services.mozaws.net
                  content-signature-chains.prod.autograph.services.mozaws.net
                  IN CNAME
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  IN A
                  34.160.144.191
                • flag-us
                  DNS
                  shavar.services.mozilla.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  shavar.services.mozilla.com
                  IN A
                  Response
                  shavar.services.mozilla.com
                  IN CNAME
                  shavar.prod.mozaws.net
                  shavar.prod.mozaws.net
                  IN A
                  35.164.250.149
                  shavar.prod.mozaws.net
                  IN A
                  54.188.201.143
                  shavar.prod.mozaws.net
                  IN A
                  44.233.67.78
                • flag-us
                  DNS
                  contile.services.mozilla.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  contile.services.mozilla.com
                  IN A
                  Response
                  contile.services.mozilla.com
                  IN A
                  34.117.188.166
                • flag-us
                  GET
                  https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30
                  firefox.exe
                  Remote address:
                  34.120.5.221:443
                  Request
                  GET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30 HTTP/2.0
                  host: getpocket.cdn.mozilla.net
                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
                  accept: */*
                  accept-language: en-US,en;q=0.5
                  accept-encoding: gzip, deflate, br
                  sec-fetch-dest: empty
                  sec-fetch-mode: cors
                  sec-fetch-site: cross-site
                  if-none-match: W/"575e-ryk0NSC6+w0Nz2QA3OdX+aGN6oA"
                  te: trailers
                • flag-us
                  DNS
                  push.services.mozilla.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  push.services.mozilla.com
                  IN A
                  Response
                  push.services.mozilla.com
                  IN CNAME
                  autopush.prod.mozaws.net
                  autopush.prod.mozaws.net
                  IN A
                  34.107.243.93
                • flag-us
                  GET
                  https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2024-06-09-11-51-09.chain
                  firefox.exe
                  Remote address:
                  34.160.144.191:443
                  Request
                  GET /chains/remote-settings.content-signature.mozilla.org-2024-06-09-11-51-09.chain HTTP/2.0
                  host: content-signature-2.cdn.mozilla.net
                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
                  accept: */*
                  accept-language: en-US,en;q=0.5
                  accept-encoding: gzip, deflate, br
                  sec-fetch-dest: empty
                  sec-fetch-mode: no-cors
                  sec-fetch-site: cross-site
                  if-modified-since: Sat, 20 Apr 2024 11:51:10 GMT
                  if-none-match: "b4944a0f4143c705f938452dfddd53cd"
                  te: trailers
                • flag-us
                  DNS
                  prod.pocket.prod.cloudops.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.pocket.prod.cloudops.mozgcp.net
                  IN A
                  Response
                  prod.pocket.prod.cloudops.mozgcp.net
                  IN A
                  34.120.5.221
                • flag-us
                  DNS
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  IN A
                  Response
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  IN A
                  34.160.144.191
                • flag-us
                  DNS
                  firefox.settings.services.mozilla.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  firefox.settings.services.mozilla.com
                  IN A
                  Response
                  firefox.settings.services.mozilla.com
                  IN CNAME
                  prod.remote-settings.prod.webservices.mozgcp.net
                  prod.remote-settings.prod.webservices.mozgcp.net
                  IN A
                  34.149.100.209
                • flag-us
                  DNS
                  contile.services.mozilla.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  contile.services.mozilla.com
                  IN AAAA
                  Response
                • flag-us
                  DNS
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  IN AAAA
                  Response
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  IN AAAA
                  2600:1901:0:92a9::
                • flag-us
                  POST
                  https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=110.0&pver=2.2
                  firefox.exe
                  Remote address:
                  35.164.250.149:443
                  Request
                  POST /downloads?client=navclient-auto-ffox&appver=110.0&pver=2.2 HTTP/1.1
                  Host: shavar.services.mozilla.com
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
                  Accept: */*
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Content-Type: text/plain
                  Content-Length: 582
                  Connection: close
                  Sec-Fetch-Dest: empty
                  Sec-Fetch-Mode: no-cors
                  Sec-Fetch-Site: none
                  Pragma: no-cache
                  Cache-Control: no-cache
                  Response
                  HTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Date: Thu, 16 May 2024 16:03:12 GMT
                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                  Content-Length: 8
                  Connection: Close
                • flag-us
                  DNS
                  prod.pocket.prod.cloudops.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.pocket.prod.cloudops.mozgcp.net
                  IN AAAA
                  Response
                  prod.pocket.prod.cloudops.mozgcp.net
                  IN AAAA
                  2600:1901:0:524c::
                • flag-us
                  DNS
                  82.90.14.23.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  82.90.14.23.in-addr.arpa
                  IN PTR
                  Response
                  82.90.14.23.in-addr.arpa
                  IN PTR
                  a23-14-90-82deploystaticakamaitechnologiescom
                • flag-us
                  GET
                  https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
                  firefox.exe
                  Remote address:
                  34.149.100.209:443
                  Request
                  GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/2.0
                  host: firefox.settings.services.mozilla.com
                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
                  accept: application/json
                  accept-language: en-US,en;q=0.5
                  accept-encoding: gzip, deflate, br
                  content-type: application/json
                  sec-fetch-dest: empty
                  sec-fetch-mode: cors
                  sec-fetch-site: cross-site
                  if-modified-since: Fri, 25 Mar 2022 17:45:46 GMT
                  if-none-match: "1648230346554"
                  te: trailers
                • flag-us
                  DNS
                  prod.ads.prod.webservices.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.ads.prod.webservices.mozgcp.net
                  IN A
                  Response
                  prod.ads.prod.webservices.mozgcp.net
                  IN A
                  34.117.188.166
                • flag-us
                  DNS
                  shavar.prod.mozaws.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  shavar.prod.mozaws.net
                  IN A
                  Response
                  shavar.prod.mozaws.net
                  IN A
                  35.164.250.149
                  shavar.prod.mozaws.net
                  IN A
                  44.233.67.78
                  shavar.prod.mozaws.net
                  IN A
                  54.188.201.143
                • flag-us
                  DNS
                  autopush.prod.mozaws.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  autopush.prod.mozaws.net
                  IN A
                  Response
                  autopush.prod.mozaws.net
                  IN A
                  34.107.243.93
                • flag-us
                  DNS
                  prod.ads.prod.webservices.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.ads.prod.webservices.mozgcp.net
                  IN AAAA
                  Response
                • flag-us
                  DNS
                  autopush.prod.mozaws.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  autopush.prod.mozaws.net
                  IN AAAA
                  Response
                • flag-us
                  DNS
                  shavar.prod.mozaws.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  shavar.prod.mozaws.net
                  IN AAAA
                  Response
                • flag-us
                  GET
                  https://push.services.mozilla.com/
                  firefox.exe
                  Remote address:
                  34.107.243.93:443
                  Request
                  GET / HTTP/1.1
                  Host: push.services.mozilla.com
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
                  Accept: */*
                  Accept-Language: en-US,en;q=0.5
                  Accept-Encoding: gzip, deflate, br
                  Sec-WebSocket-Version: 13
                  Origin: wss://push.services.mozilla.com/
                  Sec-WebSocket-Protocol: push-notification
                  Sec-WebSocket-Extensions: permessage-deflate
                  Sec-WebSocket-Key: 8Xj4DF5RGcMGCWuKOd/w8A==
                  Connection: keep-alive, Upgrade
                  Sec-Fetch-Dest: websocket
                  Sec-Fetch-Mode: websocket
                  Sec-Fetch-Site: cross-site
                  Pragma: no-cache
                  Cache-Control: no-cache
                  Upgrade: websocket
                  Response
                  HTTP/1.1 101 Switching Protocols
                  connection: upgrade
                  upgrade: websocket
                  sec-websocket-accept: 9QnuiYAbWkUCFLsvw/1f5SD4P0g=
                  date: Thu, 16 May 2024 16:03:10 GMT
                  Via: 1.1 google
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                • flag-us
                  DNS
                  prod.remote-settings.prod.webservices.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.remote-settings.prod.webservices.mozgcp.net
                  IN A
                  Response
                  prod.remote-settings.prod.webservices.mozgcp.net
                  IN A
                  34.149.100.209
                • flag-us
                  DNS
                  prod.remote-settings.prod.webservices.mozgcp.net
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  prod.remote-settings.prod.webservices.mozgcp.net
                  IN AAAA
                  Response
                • flag-au
                  GET
                  https://www.angusj.com/resourcehacker/reshacker_setup.exe
                  firefox.exe
                  Remote address:
                  203.170.87.121:443
                  Request
                  GET /resourcehacker/reshacker_setup.exe HTTP/2.0
                  host: www.angusj.com
                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
                  accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                  accept-language: en-US,en;q=0.5
                  accept-encoding: gzip, deflate, br
                  upgrade-insecure-requests: 1
                  sec-fetch-dest: document
                  sec-fetch-mode: navigate
                  sec-fetch-site: none
                  sec-fetch-user: ?1
                  te: trailers
                  Response
                  HTTP/2.0 200
                  server: nginx
                  date: Thu, 16 May 2024 16:03:12 GMT
                  content-type: application/x-msdownload
                  content-length: 4268933
                  last-modified: Sun, 19 Nov 2023 10:21:19 GMT
                  accept-ranges: bytes
                • flag-us
                  DNS
                  angusj.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  angusj.com
                  IN A
                  Response
                  angusj.com
                  IN A
                  203.170.87.121
                • flag-us
                  DNS
                  angusj.com
                  firefox.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  angusj.com
                  IN AAAA
                  Response
                  angusj.com
                  IN AAAA
                  2404:8280:a222:bbbb:bba1:7:ffff:ffff
                • flag-us
                  DNS
                  149.250.164.35.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  149.250.164.35.in-addr.arpa
                  IN PTR
                  Response
                  149.250.164.35.in-addr.arpa
                  IN PTR
                  ec2-35-164-250-149 us-west-2compute amazonawscom
                • flag-us
                  DNS
                  121.87.170.203.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  121.87.170.203.in-addr.arpa
                  IN PTR
                  Response
                  121.87.170.203.in-addr.arpa
                  IN PTR
                  ipcbaa5779ipv4syd02dsnetwork
                • flag-us
                  DNS
                  71.31.126.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  71.31.126.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  95.221.229.192.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  95.221.229.192.in-addr.arpa
                  IN PTR
                  Response
                • 127.0.0.1:51025
                  firefox.exe
                • 34.120.5.221:443
                  https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30
                  tls, http2
                  firefox.exe
                  1.6kB
                  13.5kB
                  11
                  17

                  HTTP Request

                  GET https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30
                • 34.160.144.191:443
                  https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2024-06-09-11-51-09.chain
                  tls, http2
                  firefox.exe
                  1.4kB
                  4.0kB
                  11
                  11

                  HTTP Request

                  GET https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2024-06-09-11-51-09.chain
                • 35.164.250.149:443
                  https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=110.0&pver=2.2
                  tls, http
                  firefox.exe
                  2.2kB
                  3.9kB
                  10
                  13

                  HTTP Request

                  POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=110.0&pver=2.2

                  HTTP Response

                  200
                • 34.107.243.93:443
                  push.services.mozilla.com
                  tls, http2
                  firefox.exe
                  1.1kB
                  4.0kB
                  8
                  8
                • 34.149.100.209:443
                  https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
                  tls, http2
                  firefox.exe
                  1.6kB
                  4.3kB
                  10
                  9

                  HTTP Request

                  GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
                • 34.107.243.93:443
                  https://push.services.mozilla.com/
                  tls, http
                  firefox.exe
                  1.8kB
                  4.4kB
                  8
                  9

                  HTTP Request

                  GET https://push.services.mozilla.com/

                  HTTP Response

                  101
                • 203.170.87.121:443
                  https://www.angusj.com/resourcehacker/reshacker_setup.exe
                  tls, http2
                  firefox.exe
                  104.5kB
                  4.4MB
                  1789
                  3163

                  HTTP Request

                  GET https://www.angusj.com/resourcehacker/reshacker_setup.exe

                  HTTP Response

                  200
                • 203.170.87.121:443
                  www.angusj.com
                  tls, http2
                  firefox.exe
                  1.2kB
                  4.6kB
                  10
                  10
                • 127.0.0.1:51035
                  firefox.exe
                • 8.8.8.8:53
                  8.8.8.8.in-addr.arpa
                  dns
                  66 B
                  90 B
                  1
                  1

                  DNS Request

                  8.8.8.8.in-addr.arpa

                • 8.8.8.8:53
                  232.168.11.51.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  232.168.11.51.in-addr.arpa

                • 8.8.8.8:53
                  www.angusj.com
                  dns
                  firefox.exe
                  60 B
                  90 B
                  1
                  1

                  DNS Request

                  www.angusj.com

                  DNS Response

                  203.170.87.121

                • 8.8.8.8:53
                  contile.services.mozilla.com
                  dns
                  firefox.exe
                  74 B
                  90 B
                  1
                  1

                  DNS Request

                  contile.services.mozilla.com

                  DNS Response

                  34.117.188.166

                • 8.8.8.8:53
                  spocs.getpocket.com
                  dns
                  firefox.exe
                  65 B
                  131 B
                  1
                  1

                  DNS Request

                  spocs.getpocket.com

                  DNS Response

                  34.117.188.166

                • 8.8.8.8:53
                  getpocket.cdn.mozilla.net
                  dns
                  firefox.exe
                  71 B
                  174 B
                  1
                  1

                  DNS Request

                  getpocket.cdn.mozilla.net

                  DNS Response

                  34.120.5.221

                • 8.8.8.8:53
                  content-signature-2.cdn.mozilla.net
                  dns
                  firefox.exe
                  81 B
                  235 B
                  1
                  1

                  DNS Request

                  content-signature-2.cdn.mozilla.net

                  DNS Response

                  34.160.144.191

                • 8.8.8.8:53
                  shavar.services.mozilla.com
                  dns
                  firefox.exe
                  73 B
                  157 B
                  1
                  1

                  DNS Request

                  shavar.services.mozilla.com

                  DNS Response

                  35.164.250.149
                  54.188.201.143
                  44.233.67.78

                • 34.117.188.166:443
                  spocs.getpocket.com
                  https
                  firefox.exe
                  2.1kB
                  8.0kB
                  8
                  10
                • 8.8.8.8:53
                  contile.services.mozilla.com
                  dns
                  firefox.exe
                  74 B
                  90 B
                  1
                  1

                  DNS Request

                  contile.services.mozilla.com

                  DNS Response

                  34.117.188.166

                • 8.8.8.8:53
                  push.services.mozilla.com
                  dns
                  firefox.exe
                  71 B
                  125 B
                  1
                  1

                  DNS Request

                  push.services.mozilla.com

                  DNS Response

                  34.107.243.93

                • 8.8.8.8:53
                  prod.pocket.prod.cloudops.mozgcp.net
                  dns
                  firefox.exe
                  82 B
                  98 B
                  1
                  1

                  DNS Request

                  prod.pocket.prod.cloudops.mozgcp.net

                  DNS Response

                  34.120.5.221

                • 34.117.188.166:443
                  contile.services.mozilla.com
                  https
                  firefox.exe
                  2.3kB
                  5.6kB
                  8
                  8
                • 8.8.8.8:53
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  dns
                  firefox.exe
                  103 B
                  119 B
                  1
                  1

                  DNS Request

                  prod.content-signature-chains.prod.webservices.mozgcp.net

                  DNS Response

                  34.160.144.191

                • 8.8.8.8:53
                  firefox.settings.services.mozilla.com
                  dns
                  firefox.exe
                  83 B
                  161 B
                  1
                  1

                  DNS Request

                  firefox.settings.services.mozilla.com

                  DNS Response

                  34.149.100.209

                • 8.8.8.8:53
                  contile.services.mozilla.com
                  dns
                  firefox.exe
                  74 B
                  155 B
                  1
                  1

                  DNS Request

                  contile.services.mozilla.com

                • 8.8.8.8:53
                  prod.content-signature-chains.prod.webservices.mozgcp.net
                  dns
                  firefox.exe
                  103 B
                  131 B
                  1
                  1

                  DNS Request

                  prod.content-signature-chains.prod.webservices.mozgcp.net

                  DNS Response

                  2600:1901:0:92a9::

                • 8.8.8.8:53
                  prod.pocket.prod.cloudops.mozgcp.net
                  dns
                  firefox.exe
                  82 B
                  110 B
                  1
                  1

                  DNS Request

                  prod.pocket.prod.cloudops.mozgcp.net

                  DNS Response

                  2600:1901:0:524c::

                • 8.8.8.8:53
                  82.90.14.23.in-addr.arpa
                  dns
                  70 B
                  133 B
                  1
                  1

                  DNS Request

                  82.90.14.23.in-addr.arpa

                • 8.8.8.8:53
                  prod.ads.prod.webservices.mozgcp.net
                  dns
                  firefox.exe
                  82 B
                  98 B
                  1
                  1

                  DNS Request

                  prod.ads.prod.webservices.mozgcp.net

                  DNS Response

                  34.117.188.166

                • 8.8.8.8:53
                  shavar.prod.mozaws.net
                  dns
                  firefox.exe
                  68 B
                  116 B
                  1
                  1

                  DNS Request

                  shavar.prod.mozaws.net

                  DNS Response

                  35.164.250.149
                  44.233.67.78
                  54.188.201.143

                • 8.8.8.8:53
                  autopush.prod.mozaws.net
                  dns
                  firefox.exe
                  70 B
                  86 B
                  1
                  1

                  DNS Request

                  autopush.prod.mozaws.net

                  DNS Response

                  34.107.243.93

                • 8.8.8.8:53
                  prod.ads.prod.webservices.mozgcp.net
                  dns
                  firefox.exe
                  82 B
                  175 B
                  1
                  1

                  DNS Request

                  prod.ads.prod.webservices.mozgcp.net

                • 8.8.8.8:53
                  autopush.prod.mozaws.net
                  dns
                  firefox.exe
                  70 B
                  155 B
                  1
                  1

                  DNS Request

                  autopush.prod.mozaws.net

                • 8.8.8.8:53
                  shavar.prod.mozaws.net
                  dns
                  firefox.exe
                  68 B
                  153 B
                  1
                  1

                  DNS Request

                  shavar.prod.mozaws.net

                • 8.8.8.8:53
                  prod.remote-settings.prod.webservices.mozgcp.net
                  dns
                  firefox.exe
                  94 B
                  110 B
                  1
                  1

                  DNS Request

                  prod.remote-settings.prod.webservices.mozgcp.net

                  DNS Response

                  34.149.100.209

                • 8.8.8.8:53
                  prod.remote-settings.prod.webservices.mozgcp.net
                  dns
                  firefox.exe
                  94 B
                  187 B
                  1
                  1

                  DNS Request

                  prod.remote-settings.prod.webservices.mozgcp.net

                • 8.8.8.8:53
                  angusj.com
                  dns
                  firefox.exe
                  56 B
                  72 B
                  1
                  1

                  DNS Request

                  angusj.com

                  DNS Response

                  203.170.87.121

                • 8.8.8.8:53
                  angusj.com
                  dns
                  firefox.exe
                  56 B
                  84 B
                  1
                  1

                  DNS Request

                  angusj.com

                  DNS Response

                  2404:8280:a222:bbbb:bba1:7:ffff:ffff

                • 8.8.8.8:53
                  149.250.164.35.in-addr.arpa
                  dns
                  73 B
                  137 B
                  1
                  1

                  DNS Request

                  149.250.164.35.in-addr.arpa

                • 8.8.8.8:53
                  121.87.170.203.in-addr.arpa
                  dns
                  73 B
                  119 B
                  1
                  1

                  DNS Request

                  121.87.170.203.in-addr.arpa

                • 8.8.8.8:53
                  71.31.126.40.in-addr.arpa
                  dns
                  71 B
                  157 B
                  1
                  1

                  DNS Request

                  71.31.126.40.in-addr.arpa

                • 8.8.8.8:53
                  95.221.229.192.in-addr.arpa
                  dns
                  73 B
                  144 B
                  1
                  1

                  DNS Request

                  95.221.229.192.in-addr.arpa

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp

                  Filesize

                  24KB

                  MD5

                  0dde86cb559d24d2abb38a5338b8d0ca

                  SHA1

                  dfbb1b537c0e019757716797b552c571d03f215f

                  SHA256

                  70df25cae1031c34845b7446d76d4b651939dfb59c0aba59e31ab35969f55f76

                  SHA512

                  97d5aa124ba71160384452aacd51904591c180e5129fd57f5bfb423df550cf32df9f7ee503ee2f741201ed26cefa9a64f5986a7b88e2d1310afae76c28d2273b

                • C:\Users\Admin\Downloads\reshacker_setup.1XnIKnDo.exe.part

                  Filesize

                  7KB

                  MD5

                  da4217e7e1212dbd974c37103b0f082d

                  SHA1

                  3434e728a9ac81003dc2ecdf1e613f6ee696cfef

                  SHA256

                  ace32d47a3d2d0c3576bcbd8f7c54abdf30895f40962bed98ffea904afe75a43

                  SHA512

                  b55a165a0df7f592e8b1cc0f1c64945f1896fbe901ba744af70cc58a5090bc90bbf28418efbadcc6d24af6a9704218aa3ab7d3b1eed0eb860b8810718b825006

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.