Malware Analysis Report

2024-09-23 03:50

Sample ID 240528-jsb19sbf8s
Target script.ps1
SHA256 e8aa5ffdcfcc134e37b424cfe0e7996f5c5406f11a51b5c50b184b31d87fa864
Tags
metasploit execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8aa5ffdcfcc134e37b424cfe0e7996f5c5406f11a51b5c50b184b31d87fa864

Threat Level: Known bad

The file script.ps1 was found to be: Known bad.

Malicious Activity Summary

metasploit execution

Metasploit family

Command and Scripting Interpreter: PowerShell

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-28 07:55

Signatures

Metasploit family

metasploit

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 07:55

Reported

2024-05-28 08:27

Platform

win10-20240404-en

Max time kernel

1588s

Max time network

1592s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 2892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 628 wrote to memory of 2892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2892 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2892 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 788 wrote to memory of 4212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp" "c:\Users\Admin\AppData\Local\Temp\kavnnwqn\CSC94E1A5210F148918BDA587AA0C6FE48.TMP"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.0.1531404878\1516873490" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53d236aa-b251-4859-b0a8-e7d1a8bcabaf} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 1796 242e88d7658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.1.723626806\788106979" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a9e408f-dc40-4b5e-a826-ea00ea6325c6} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 2152 242e8430e58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.2.1508242793\1790660608" -childID 1 -isForBrowser -prefsHandle 2648 -prefMapHandle 2764 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f28f9591-931b-42ee-9b6d-3460bda78702} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3228 242eca9ea58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.3.515803614\1282530669" -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3520 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd69f2c1-8253-471d-9cf0-04a092b88c1a} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3016 242eaff3d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.4.1568985633\1427780914" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3684 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9d9b5c8-e2d4-486e-847a-527525d12cf3} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3524 242e87faa58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.5.202308204\769503109" -childID 4 -isForBrowser -prefsHandle 4740 -prefMapHandle 4724 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8b647e2-e255-43b2-a9a3-f9aba8c58f06} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4692 242eb21ab58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.6.1402023674\246596844" -childID 5 -isForBrowser -prefsHandle 4832 -prefMapHandle 4836 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19845428-2cf2-4ba8-8f3d-0d6db554b23d} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4824 242ed0c8b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.7.818393791\747471025" -childID 6 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d254256b-26a9-46e4-a45a-44a307bf8810} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4812 242ee9a7958 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp
N/A 127.0.0.1:51829 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 44.237.98.207:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 207.98.237.44.in-addr.arpa udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
N/A 127.0.0.1:51836 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.72:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 142.250.178.142:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 72.121.18.2.in-addr.arpa udp
FR 142.250.178.142:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.166.253.131:443 location.services.mozilla.com tcp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 131.253.166.35.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp

Files

memory/628-0-0x00007FFE18603000-0x00007FFE18604000-memory.dmp

memory/628-5-0x000001FD594D0000-0x000001FD594F2000-memory.dmp

memory/628-9-0x000001FD597A0000-0x000001FD59816000-memory.dmp

memory/628-8-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gad1a3xf.4hl.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/628-10-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.cmdline

MD5 5993e1bf46f74999c2a6ed472b9412b6
SHA1 e92a9e212974028d619962b65334746696e9fe7a
SHA256 d274a31917a051b42465d9e64961f73b875a05f3cada0fc532e6c3d96afb0907
SHA512 dc964b05865ecefd2af326ca4f32b9d1ab64c8c6e4f51d2c631ee49ea03e1b8e9c8c529d44588f773214d2f44d221c93f2264c8bd6b5d31a5311ae065248fca6

\??\c:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.0.cs

MD5 7319070c34daa5f6f2ece2dfc07119ee
SHA1 f26a4a48518a5608e93c8b77368f588b0433973c
SHA256 b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA512 34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

\??\c:\Users\Admin\AppData\Local\Temp\kavnnwqn\CSC94E1A5210F148918BDA587AA0C6FE48.TMP

MD5 2edf69de809a81e3506b92b21cf66b4e
SHA1 7c698e81207f14b2364d66b152cd89cb17d57cde
SHA256 266155af3a79ed830338e6edda019d2a80be0fa89542bed623a8372f9c413deb
SHA512 132e2c570eb738d1240b1197091e1ab00a7a350134cb07b35bf5b384e3253888b3f256a846ede863e6f438d8584e7672db8144d9eb02420a5f595ad8618c654f

C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp

MD5 6abe509ded6f691a07e7229ece2d93b1
SHA1 bf50271539345eba34bb409c567a0781fef9ea61
SHA256 522dad01f533f54f6cf9f4ca450b3f39188a7e98f8a962872d1070e0d258c3ce
SHA512 30a62034af8d13c1a9701d520ad290b32aa2ce40081f92cf6be7dc82a5d9e5dec8cb8c88e867a79ec8c730d98d2bb7a443c0c4fdcae981a60c3f673aff8b519e

C:\Users\Admin\AppData\Local\Temp\kavnnwqn\kavnnwqn.dll

MD5 0ff1bf9fce04e5fabe04bd46ca964f14
SHA1 0b28764fa07d5e1944d6dc153b84ed661de30158
SHA256 a9b156050b53a9eecd2ef436fc1dc7596cbfc9c2583a9a00a630b14bab5710ac
SHA512 c856fc25ca63cd783dad0346e1547a1f7803a3577f191225d5f7f9e8a235dc9311f1d2fb3ba38b21d7575b09191b9c53612eb466b485258411e0474ad17ad1e4

memory/628-37-0x000001FD59780000-0x000001FD59788000-memory.dmp

memory/628-45-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/628-46-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/628-2040-0x000001FD59920000-0x000001FD59921000-memory.dmp

memory/628-2043-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/628-2044-0x00007FFE18603000-0x00007FFE18604000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin

MD5 d95e950005fef428e3953993272bff63
SHA1 73ba17a3b9f8a084118d392c8bedb45867e8afce
SHA256 e240c3aa8b4e763e29a76d1f6df18997249107f67b2e5c8faa12341c55cadf4a
SHA512 162cdf390c7b90fe1d9560874e3f4e219047b6f483f6d523a2d43a4e8d3a88363edb247a6581d2c9a42884a3c1320319227295f953bc6262cf982015ffbdf629

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\e037fc4b-3430-4164-8b15-529becf05c3a

MD5 71a6baed65a1fa44ec9d0c1c728af94e
SHA1 1711f9a3ed5ba02740766a30c768214fdfa1725e
SHA256 682d2f64b09b60568ac28630406a27b4a9379e1d010ea1272ac4076e79d4462e
SHA512 290365ba36072baa6338d99c62ae2ddd28b689cbbc3b356f191d0f6f659c082d6285ea9c2b5bb45f7406656b07eb451d9ad5e68020928a09bfe2fa64fb30f0ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\be7f8848-7a1f-4a66-bb31-d27927a8eb6b

MD5 04688060dc4ca341a8ee0d9ac627fbf8
SHA1 6d7c35458f9070c1443becaeb15ec9a2129dfbe9
SHA256 cabefb942b9e88552cc8a0456e0fb972a603ccee1d8e4122f2e39c8c425eb965
SHA512 16e87a208284d952c0e1ad45c080882141b578e382f54b0fa1d8486b27a5b3fdc50e04b89309954383563992e9a2ec3949a6b43c88b431ff9c1cf5b60e68160a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

MD5 b62a61750634cb68a8ba2e4683d47c36
SHA1 8715fcd837a899b936384087d75fbf14eff32c91
SHA256 13d2ad1f9dacff25158d846fa45914b69a475628cd0bbe3d3005eb7987a65f96
SHA512 e032313ce7e1e138a9b57c425c16d257784556076c55682bc57ffc322b610fbd84fa8f46d4b2682bd755f4c12585134cbf2aae2be5f7cf3007cf3d5afc48063d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 25e557ae491d1d13ada8a1d4ea1f83b7
SHA1 87c9dfbe95dd11107ca4273db94727e2ebf92d80
SHA256 df902a42316eb0d88cf316830b249674b1836cddd44e2c4489079115e443c998
SHA512 7365500f4877445c7f785f4f55962755aeed5bcffb572c0c8d3594a81c54b24eae665169fe3287fb820a684ae662c82cc38fc3671db841194933442e7677c00b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 dd1adb1d57eb7c8de52faa8fdab6ec47
SHA1 50acf859f7912bc36b2d3a109407ef00374b18e1
SHA256 ffefaa21960f3404f65f7712024f4ceae28e97fdf131bc5d720163842879e92d
SHA512 429ccbb09ee74b6ae9f4422f81640f45a84533f07784bd8d9a73709d9e7af0bfdfe79bfc0f6f9942b94f2d70e4ecffc3261e6cebb4cd91470c27586734605336

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 1c5794e6caa8eda35f9dbfb954b3d0de
SHA1 97656171e12b810a4561ed1b7b09bdf7d6516367
SHA256 a62c189d436cd02d582ea9c071d6bb0dfd6113480ab8172a91efdc4c60f53964
SHA512 af4352607299dbab8848cdb74481cb1f56393646bc4a6b9ab74dbd1cbbe7afa01717516bff2ae4e4eb794ec4dbb03b9b5b70f425d674e13f4652dd3cc22bf48c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

MD5 40d7051336a689bf349ce19f6d55b850
SHA1 7c3c0a2228a85a70b0d840ea4fa7d8bc57b6e7a6
SHA256 a3247ee6df4431a33e3328d1de4f2596f32f6018f49b0f7e39e12ddbc2641564
SHA512 39fb118df5f6f8616258c7b9e90cdff37cf25b627ef616af2fec77e7a15676c78a880c41e977aa74a549633f0544914b13b44f6e2fd5a5440aa786f8ce1ac66d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 906891215898da39c89a9cf5d8c77dcf
SHA1 5edb7114b286bd00b79efe149dc622d48a1b7ac9
SHA256 67fb461747e1161b45992c4653dfa82903de10b7f39f67426b89fcae01ad8940
SHA512 73fcb230ce5cf262d9a99c4b38b6ed48552ed538e842ef2cb25805fa513feded640f94cc20831c71e53f4b23659e30ad3669e2939d88849b18f0e9a270968240

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 92e6c5852ccf70241a8a4c5f16303dad
SHA1 a474ff5a230ce0bd56cb3476fff73d249e919045
SHA256 5ffc7bbc4603ddbf2226fc054bdece3cc02516b01e6888fcbc1ddac2b63af5c6
SHA512 d9c78034d5cf6d91729520eaf864ae0c5a8c8468d9b6242bf06b24efb1e3e33a3c4b57e9e9624823122ac487150f64d44ae647757d8720bd4e9c0391c1219cfe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\broadcast-listeners.json

MD5 5aaef3166c6e76fcd9902c008edd75d8
SHA1 f366588652f12c9b7eaf2f8b16ce044333a83683
SHA256 00974d52cb364d32124bf33b14a4fb4cc8461e854de04969afe50eb3e4d81861
SHA512 7683756e83b1b74183794b1d67270de31ad5e617afa04994b4b76bccb23c1b8e58aff8375960ea648bd9042ceb3025b0efa6261db0f7e2d397e1762ed2abaa74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 49b8e9a4beead847e2f8aa550111e1c1
SHA1 4bea7f8438730ea1e5d078a2edc1a6846f8e0f07
SHA256 821027144246fcf766d2bb3c4d74df89185171cc88fe004eceee173fea372051
SHA512 3cc5022a86e11b23b46eb4b2a39e86eb59711d7e3ed158e37fc406c41ffdd6b6ccd9fe16b4a72a025c8cd26ef0aa36f4c78196ee80adbe04e373bb26a830919d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\bookmarkbackups\bookmarks-2024-05-28_11_fHex2gcaYrcM3bB6rAfVHg==.jsonlz4

MD5 06d87d126355fd690e457ce18b4778f7
SHA1 3de1658c09f3729a9ef1e86d20a4379192b125b3
SHA256 d7f1acf55995a0c37cee175af46bd974fa2bb09f2905e9001aeaf604166b7294
SHA512 78ea844adc923e9d7383c4c2c2566aa99097542d69ad04655398dae6ae4e7b9b63037c5c5a7776e939f6337f216e5e906fac5f3faef5bdad8302b117ee653eb5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

MD5 62ece33612c4f7c583740501398afc57
SHA1 8bb3a2c2b49a7f4003e4210afd21e75848e565b3
SHA256 4be52569d46718a468202c3d62021492e91d0011848d4878df4d8e38a902160a
SHA512 ce3b937ef075e57afebfd78d0798b72a1c785af56a73a861cbbac14fb6efd5d712a8f1e1fd0b0f441c845ed1a30110a26e89eac5abe3296a397936ca661c6953

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\extensions.json.tmp

MD5 5ebd0622338bda931843fbee29c374d8
SHA1 04e73b6e8cdc0f56e5faa396ec1db543621f0d8b
SHA256 97a2a6dac05273711c0717e0cb8d04763691ac175c675760b5db81d332c31289
SHA512 213155fd8a53bc7b5c40940cf4f3cb400cdde4218893b4d31a8f8262ad8621af2fb738014402333c1c220b6692683c3f47e7dc56a13290adcbdd32c62f29cd52

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\doomed\12238

MD5 729cde036cced45a65c9921d8cbca594
SHA1 3bf1699fef0d9a95f18b415626b2c693a74e578d
SHA256 866efa74a294caf98808e3ba586aff37fd99f11c93a96c43323bc2bd26858529
SHA512 86a15d4ef4a38e727a642ec16c9ed4a108f86f5701baaded3c310de4ed0d47df5553551e8077ff1cb5b74b155907ccbb99f4ff7f70a703fbbb4503c34c1ec818