b4b96e61980599af727294cc05e85675e789f872b5c42346096f422c118de084

Resubmissions

21/05/2024, 00:50 UTC

240521-a7ax3sdb7s 4

21/05/2024, 00:49 UTC

240521-a6nsjsdb5s 1

Analysis

max time kernel
613s
max time network
1588s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21/05/2024, 00:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pagefile.7z
Size

79.4MB
MD5

ecda4d60df1dd5a867f94f75076103ea
SHA1

e9e4c67cd80950f418e17ccecf699ba3e70b9201
SHA256

b4b96e61980599af727294cc05e85675e789f872b5c42346096f422c118de084
SHA512

f2f9f34158966a42e8ced2684c8febfb72973636d2e662fa4b80c2c2edec51cb0285e7a0f097fb38d8adbce2fb6b718d09a0ee015c5875d369783570a3d07133
SSDEEP

1572864:3qzvGjsfKKocul6DRJMawJIjK6QD//fB4cGLlR8v7qFrohUxt:30vA8KKo36DMbF603fBzKm7qFP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2624	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	firefox.exe
Token: SeDebugPrivilege	204	firefox.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
204	firefox.exe
204	firefox.exe
204	firefox.exe
204	firefox.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
204	firefox.exe
204	firefox.exe
204	firefox.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe
2624	vlc.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
204	firefox.exe
2624	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 5076	4576	OpenWith.exe	76
PID 4576 wrote to memory of 5076	4576	OpenWith.exe	76
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 5076 wrote to memory of 204	5076	firefox.exe	78
PID 204 wrote to memory of 2208	204	firefox.exe	79
PID 204 wrote to memory of 2208	204	firefox.exe	79
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 4104	204	firefox.exe	80
PID 204 wrote to memory of 2192	204	firefox.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\pagefile.7z
1⤵
- Modifies registry class
PID:4176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\pagefile.7z"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\pagefile.7z
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="204.0.1211070746\1537363916" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {673f686a-5f7d-4d3d-ba93-4b8d966e0cd5} 204 "\\.\pipe\gecko-crash-server-pipe.204" 1680 26e6e205e58 gpu
      4⤵
      PID:2208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="204.1.843721164\2046504232" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2152 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dac1a4ba-51a6-426e-9827-06bf6cecac72} 204 "\\.\pipe\gecko-crash-server-pipe.204" 2172 26e5ab73858 socket
      4⤵
      Checks processor information in registry
      PID:4104
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="204.2.242377595\587891987" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2952 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e915d00f-c210-49cc-9303-6a0864d37119} 204 "\\.\pipe\gecko-crash-server-pipe.204" 2944 26e712d8b58 tab
      4⤵
      PID:2192
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="204.3.1228302131\1797576054" -childID 2 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a02b3c-466a-4ea1-8113-4d5c7a48d8be} 204 "\\.\pipe\gecko-crash-server-pipe.204" 3324 26e6f6a1358 tab
      4⤵
      PID:1428
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="204.4.1552925244\940600336" -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4944 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f743f7-7be5-4953-b33f-741040bf8046} 204 "\\.\pipe\gecko-crash-server-pipe.204" 4980 26e712d7658 tab
      4⤵
      PID:1956
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="204.5.1227333994\109027515" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5000 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a38900ab-65d8-42d2-a959-a1a0155750e4} 204 "\\.\pipe\gecko-crash-server-pipe.204" 5104 26e72c8b958 tab
      4⤵
      PID:3132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="204.6.1625037180\50457887" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab6da9e9-1a1b-4364-9291-cbbfb643437a} 204 "\\.\pipe\gecko-crash-server-pipe.204" 5300 26e73551058 tab
      4⤵
      PID:520

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" C:\Users\Admin\AppData\Local\Temp\pagefile.7z
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2624

Network

DNS

content-signature-2.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

content-signature-2.cdn.mozilla.net

IN A

Response

content-signature-2.cdn.mozilla.net

IN CNAME

content-signature-chains.prod.autograph.services.mozaws.net

content-signature-chains.prod.autograph.services.mozaws.net

IN CNAME

prod.content-signature-chains.prod.webservices.mozgcp.net

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

push.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

push.services.mozilla.com

IN A

Response

push.services.mozilla.com

IN CNAME

autopush.prod.mozaws.net

autopush.prod.mozaws.net

IN A

34.107.243.93
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.188.166
DNS

shavar.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.services.mozilla.com

IN A

Response

shavar.services.mozilla.com

IN CNAME

shavar.prod.mozaws.net

shavar.prod.mozaws.net

IN A

44.230.111.112

shavar.prod.mozaws.net

IN A

35.164.250.149

shavar.prod.mozaws.net

IN A

54.188.201.143
DNS

firefox.settings.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox.settings.services.mozilla.com

IN A

Response

firefox.settings.services.mozilla.com

IN CNAME

prod.remote-settings.prod.webservices.mozgcp.net

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
GET

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US

firefox.exe

Remote address:

34.149.100.209:443

Request

GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/2.0
host: firefox.settings.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-modified-since: Fri, 25 Mar 2022 17:45:46 GMT
if-none-match: "1648230346554"
te: trailers
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

54.188.201.143

shavar.prod.mozaws.net

IN A

44.230.111.112

shavar.prod.mozaws.net

IN A

35.164.250.149
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

autopush.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN A

Response

autopush.prod.mozaws.net

IN A

34.107.243.93
GET

https://contile.services.mozilla.com/v1/tiles

firefox.exe

Remote address:

34.117.188.166:443

Request

GET /v1/tiles HTTP/2.0
host: contile.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
te: trailers
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

autopush.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

autopush.prod.mozaws.net

IN AAAA

Response
GET

https://push.services.mozilla.com/

firefox.exe

Remote address:

34.107.243.93:443

Request

GET / HTTP/1.1
Host: push.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: wss://push.services.mozilla.com/
Sec-WebSocket-Protocol: push-notification
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: vWQzmbT0UfG+9EFIkJijzg==
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

Response

HTTP/1.1 101 Switching Protocols

connection: upgrade
sec-websocket-accept: 7vvY6LdauxOZi2vlX1fNzhPiKN4=
upgrade: websocket
date: Tue, 21 May 2024 00:53:50 GMT
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN A

Response

contile.services.mozilla.com

IN A

34.117.188.166
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

contile.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

contile.services.mozilla.com

IN AAAA

Response
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

166.188.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.188.117.34.in-addr.arpa

IN PTR

Response

166.188.117.34.in-addr.arpa

IN PTR

16618811734bcgoogleusercontentcom
DNS

112.111.230.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

112.111.230.44.in-addr.arpa

IN PTR

Response

112.111.230.44.in-addr.arpa

IN PTR

ec2-44-230-111-112 us-west-2compute amazonawscom
DNS

122.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.10.44.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

76.234.34.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.234.34.23.in-addr.arpa

IN PTR

Response

76.234.34.23.in-addr.arpa

IN PTR

a23-34-234-76deploystaticakamaitechnologiescom
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response

127.0.0.1:49750

firefox.exe
44.230.111.112:443

shavar.services.mozilla.com

tls

firefox.exe

2.2kB
3.7kB
10
9
34.149.100.209:443

https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US

tls, http2

firefox.exe

1.8kB
4.4kB
14
13

HTTP Request

GET https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
34.117.188.166:443

https://contile.services.mozilla.com/v1/tiles

tls, http2

firefox.exe

1.8kB
8.0kB
15
19

HTTP Request

GET https://contile.services.mozilla.com/v1/tiles
34.160.144.191:443

content-signature-2.cdn.mozilla.net

tls

firefox.exe

1.6kB
4.2kB
15
16
34.107.243.93:443

https://push.services.mozilla.com/

tls, http

firefox.exe

1.9kB
4.5kB
12
12

HTTP Request

GET https://push.services.mozilla.com/

HTTP Response

101
127.0.0.1:49756

firefox.exe
52.142.223.178:80

46 B
1

8.8.8.8:53

content-signature-2.cdn.mozilla.net

dns

firefox.exe

81 B
235 B
1
1

DNS Request

content-signature-2.cdn.mozilla.net

DNS Response

34.160.144.191
8.8.8.8:53

push.services.mozilla.com

dns

firefox.exe

71 B
125 B
1
1

DNS Request

push.services.mozilla.com

DNS Response

34.107.243.93
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
90 B
1
1

DNS Request

contile.services.mozilla.com

DNS Response

34.117.188.166
8.8.8.8:53

shavar.services.mozilla.com

dns

firefox.exe

73 B
157 B
1
1

DNS Request

shavar.services.mozilla.com

DNS Response

44.230.111.112

35.164.250.149

54.188.201.143
8.8.8.8:53

firefox.settings.services.mozilla.com

dns

firefox.exe

83 B
161 B
1
1

DNS Request

firefox.settings.services.mozilla.com

DNS Response

34.149.100.209
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

54.188.201.143

44.230.111.112

35.164.250.149
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

autopush.prod.mozaws.net

dns

firefox.exe

70 B
86 B
1
1

DNS Request

autopush.prod.mozaws.net

DNS Response

34.107.243.93
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

autopush.prod.mozaws.net

dns

firefox.exe

70 B
155 B
1
1

DNS Request

autopush.prod.mozaws.net
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
90 B
1
1

DNS Request

contile.services.mozilla.com

DNS Response

34.117.188.166
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
34.117.188.166:443

contile.services.mozilla.com

https

firefox.exe

1.8kB
4.2kB
5
6
8.8.8.8:53

contile.services.mozilla.com

dns

firefox.exe

74 B
155 B
1
1

DNS Request

contile.services.mozilla.com
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

166.188.117.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

166.188.117.34.in-addr.arpa
8.8.8.8:53

112.111.230.44.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

112.111.230.44.in-addr.arpa
8.8.8.8:53

122.10.44.20.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

122.10.44.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

76.234.34.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

76.234.34.23.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
53e45eca6bdc032b6fb905cd5c1a6fd3

SHA1
13f6922fbbb58cae09f908151ea950cf442fde2a

SHA256
25c944a373f49da640ce8728aee38b6249245054707c3df74ab473187038c215

SHA512
39e55d1cc86e2d1394228b09631181e05c77c0e40d54c5ec0e89cf57d7095e89559ad242b2d4a368dabc686d4e2b8503fc6af039c422072fa78c99614373822f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\866cbe70-c9e5-45f7-bf81-6bca7b50ae89

Filesize
734B

MD5
3d5e25eedf5d73c9f4114e15d59b0741

SHA1
08b8e5583e15486bfbb15e7838a4c3d2625cf731

SHA256
8e94e2603bd4ae52087b8228574e32758405993a27de40b8ee989f17d09ba237

SHA512
32bfa9ce4fc2cb0829a9491a7f2d07ad1fb96bbbacb4f016087b0ce886dde03f36facc95ae941eff212cd1f684007a5e093475bf372d0072e75993cc395b899a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
7f963b6b01646b120956b4fdc65304d3

SHA1
27095cda73123255cbda93c4a35ba77ca0c370a6

SHA256
3341ec10b467816ec60c1ed8082b2a17fe1ff02b3c58b7d288010670ebb7d3fc

SHA512
914024ab019339869af996f723ef75ca0f3bc1caf22296208e256938e2e8744dc99ae19f76ead38c47ce7896aa44b25fe19b93aab1bc34aba28641be01a2858b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
225da7fcfed72e27709abc5e39729253

SHA1
10e95a52b9826f74d37ebfe7d36dcfca1bc128aa

SHA256
8f4f8b5750dbf1fd7b05a606f1641470bd8991b5d6bb388d3b9a4b0471668c09

SHA512
44e43cbfa9575948cf9b2e92ad8fd2e00029aedda468f5bd39714e3bccdb499b04c09a14435e1182f4e281eda6d870a0391b420a4feb5558ead37c2ca6776004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
997B

MD5
20fe2fd36ea393c230c008653202b465

SHA1
ea413f9ec8002b5f66088f6ceb6c9e3ac57725a5

SHA256
390c40d251c4fcc39131601a8e84ac40c33b246fa33ab983b1255de87dbe9fca

SHA512
75d7b1f829eab67e45dee5b72fdb285c648b6ee9398ea0bcb43bf0492ab9abd6a70a25d803ccd14bd9385f9f197fa55c21fcf2a3a54d25fdda977dc5a3689e60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

Filesize
639B

MD5
cd0c63d1eb9faaaaf05fcb3740dcd2b7

SHA1
964724af86cd97d5640b4f59edd784f65dff2d5e

SHA256
98d73ae6e1762780a2686a124001f3035ed55532d4cd85ed8f505412cfb3ea69

SHA512
1bfab18842eeaeeae6d28dc005a8b211401f134348ed092fb632b3c3d2bbec1d4f14260fa97c09a66081c6766075d7ffc829596ad5a9718fdc6936b648f9f1dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
memory/2624-119-0x00007FFBD82C0000-0x00007FFBD82D8000-memory.dmp

Filesize
96KB

Download
memory/2624-113-0x00007FFBD9850000-0x00007FFBD9867000-memory.dmp

Filesize
92KB

Download
memory/2624-116-0x00007FFBCC2E0000-0x00007FFBCC4EB000-memory.dmp

Filesize
2.0MB

Download
memory/2624-124-0x00007FFBCC210000-0x00007FFBCC221000-memory.dmp

Filesize
68KB

Download
memory/2624-123-0x00007FFBCC230000-0x00007FFBCC24B000-memory.dmp

Filesize
108KB

Download
memory/2624-122-0x00007FFBCC250000-0x00007FFBCC261000-memory.dmp

Filesize
68KB

Download
memory/2624-121-0x00007FFBCC270000-0x00007FFBCC281000-memory.dmp

Filesize
68KB

Download
memory/2624-120-0x00007FFBCC290000-0x00007FFBCC2A1000-memory.dmp

Filesize
68KB

Download
memory/2624-109-0x00007FFBCC4F0000-0x00007FFBCC7A6000-memory.dmp

Filesize
2.7MB

Download
memory/2624-118-0x00007FFBCC2B0000-0x00007FFBCC2D1000-memory.dmp

Filesize
132KB

Download
memory/2624-117-0x00007FFBD8240000-0x00007FFBD8281000-memory.dmp

Filesize
260KB

Download
memory/2624-114-0x00007FFBD8300000-0x00007FFBD831D000-memory.dmp

Filesize
116KB

Download
memory/2624-112-0x00007FFBD9870000-0x00007FFBD9881000-memory.dmp

Filesize
68KB

Download
memory/2624-111-0x00007FFBDBA00000-0x00007FFBDBA17000-memory.dmp

Filesize
92KB

Download
memory/2624-126-0x00007FFBCA730000-0x00007FFBCA765000-memory.dmp

Filesize
212KB

Download
memory/2624-110-0x00007FFBDBD80000-0x00007FFBDBD98000-memory.dmp

Filesize
96KB

Download
memory/2624-125-0x00007FFBCB160000-0x00007FFBCC210000-memory.dmp

Filesize
16.7MB

Download
memory/2624-115-0x00007FFBD82E0000-0x00007FFBD82F1000-memory.dmp

Filesize
68KB

Download
memory/2624-146-0x00007FFBD9890000-0x00007FFBD98C4000-memory.dmp

Filesize
208KB

Download
memory/2624-147-0x00007FFBCC4F0000-0x00007FFBCC7A6000-memory.dmp

Filesize
2.7MB

Download
memory/2624-145-0x00007FF7977B0000-0x00007FF7978A8000-memory.dmp

Filesize
992KB

Download
memory/2624-148-0x00007FFBCB160000-0x00007FFBCC210000-memory.dmp

Filesize
16.7MB

Download
memory/2624-107-0x00007FF7977B0000-0x00007FF7978A8000-memory.dmp

Filesize
992KB

Download
memory/2624-108-0x00007FFBD9890000-0x00007FFBD98C4000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.