Malware Analysis Report

2024-09-11 05:55

Sample ID 240528-xte17sgd4y
Target Windows Tweaks.bat
SHA256 6b7006ebcb34979159b16e885a65119a0e23fcab3dcd5bdff657aa2c4e29d488
Tags
discovery exploit spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6b7006ebcb34979159b16e885a65119a0e23fcab3dcd5bdff657aa2c4e29d488

Threat Level: Likely malicious

The file Windows Tweaks.bat was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit spyware stealer

Possible privilege escalation attempt

Modifies file permissions

Reads user/profile data of web browsers

Enumerates connected drives

Gathers network information

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Runs net.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-28 19:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 19:08

Reported

2024-05-28 19:10

Platform

win11-20240508-en

Max time kernel

68s

Max time network

72s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windows Tweaks.bat"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\takeown.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4560 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4560 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4560 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4560 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4560 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4560 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4560 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4560 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4560 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4560 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 956 wrote to memory of 1012 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 956 wrote to memory of 1012 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4560 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4560 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1608 wrote to memory of 4936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1608 wrote to memory of 4936 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 4688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4688 wrote to memory of 5032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windows Tweaks.bat"

C:\Windows\system32\takeown.exe

takeown /s OYHKEPSP /u Admin /f "C:\Users\Public\Desktop" /r /d y

C:\Windows\system32\icacls.exe

icacls "C:\Users\Public\Desktop" /inheritance:r

C:\Windows\system32\icacls.exe

icacls "C:\Users\Public\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c

C:\Windows\system32\takeown.exe

takeown /s OYHKEPSP /u Admin /f "C:\Users\Admin\Desktop" /r /d y

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\Desktop" /inheritance:r

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c

C:\Windows\system32\takeown.exe

takeown /s OYHKEPSP /u Admin /f "Z:\Desktop" /r /d y

C:\Windows\system32\icacls.exe

icacls "Z:\Desktop" /inheritance:r

C:\Windows\system32\icacls.exe

icacls "Z:\Desktop" /inheritance:e /grant:r Admin:(OI)(CI)F /t /l /q /c

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\net.exe

net user defaultuser1 /delete

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user defaultuser1 /delete

C:\Windows\system32\net.exe

net user defaultuser100000 /delete

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user defaultuser100000 /delete

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.0.432282475\711489598" -parentBuildID 20230214051806 -prefsHandle 1716 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aabe8eb-8c4e-47ba-84a7-5b10df9665b5} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 1832 2ceff523e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.1.2143866459\547042120" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2332 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfb5ee1e-40de-4b56-a595-c97fed964215} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2356 2cefa188d58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.2.377126813\1327222547" -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 2752 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c19a4d5-6d1e-4ece-9610-4355bd61192a} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2956 2ce89d12d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.3.1897453309\1574214964" -childID 2 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44cc6602-db22-49bd-a129-b295fc72e55a} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 3940 2ce8c928258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.4.906325364\59300594" -childID 3 -isForBrowser -prefsHandle 4992 -prefMapHandle 5152 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e9b2354-dff4-4677-9054-00b9dd0541b8} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 2780 2ce8f88b358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.5.423884659\1998383923" -childID 4 -isForBrowser -prefsHandle 2532 -prefMapHandle 2528 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8716181f-8142-462e-b63b-aa5b8b18519a} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 5132 2ce8f88b658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4688.6.1515275830\836617289" -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5576 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cdbdad9-5e8f-4989-b773-60316d2bceef} 4688 "\\.\pipe\gecko-crash-server-pipe.4688" 5592 2ce8f88b958 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 104.86.110.113:443 tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
NL 23.62.61.97:443 r.bing.com tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.237.65.238:443 shavar.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
N/A 127.0.0.1:49788 tcp
N/A 127.0.0.1:49796 tcp

Files

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 cd56e155edf53e5728c46b6c9eb9c413
SHA1 14b1b0f090803c9ee39797aed4af13dc7849566d
SHA256 70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a
SHA512 a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qt190sk.default-release\activity-stream.discovery_stream.json.tmp

MD5 d6ef8003cfe19a2c6ac84c544e952da7
SHA1 540d2f2575c165b6091c5d82cc0d99550f529ed3
SHA256 7bc05c4b0d57ab42fb37c5a7469fa8ed329a77845446a189a9af5325d0bcaea6
SHA512 55e0ab88a134c0977d78ee871979174643a031ce7a6b23dba0115db81a6bd34e64db4c34ba4c62e9a18f3db8c4aaf2ed9b3f49b60d7cec96ac20bb38a136671c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs.js

MD5 7cd05762fb17299d408ac6108be8cf78
SHA1 850efb7e7ad9bc6722895bbdb01350d74406a213
SHA256 ddb5c0aa42e97756ffa2f6f15dce3cb07f213e6588c8d25bd1180e3d842c5215
SHA512 8af41a4dc5880688de735bec6ddafcd597e57bb335cc52977a773c4e5d8e2af8fda49904d36d73697e98e0451f197a2c6ef55af78258ce0f3a6a8ea7dbe1f765

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js

MD5 e73e2f4875b473b50bfae67183883c0a
SHA1 ec2239759c843ed631cc1196688a53a39bce4649
SHA256 a7c707ea5a9397d57570c2628de39e69d96044264bdfdbe89e3b2e8d6791ec0b
SHA512 76ffeeaea057bd5091fd464c4af4f0a3ae4b93db12c1f04ee273b81dbb1415c2db04ee477761fbfd54a3c403c491d53e0fed742cf0d015e5a265936bc83f228a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionCheckpoints.json

MD5 66bdbb6de2094027600e5df8fbbf28f4
SHA1 ce033f719ebce89ac8e5c6f0c9fed58c52eca985
SHA256 df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc
SHA512 18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore.jsonlz4

MD5 379f76e802a1bef31b54cc08e9f7f24c
SHA1 28c99e028267004928e1d2a25e7fb439912a2091
SHA256 db3da38fa2ea8e4963da53d891175e64a8f6653a15885613763b1f7f444e7164
SHA512 146db5a40c2fa11392d1c9cda651b1d225740ae0aa7f7c3cc1637469ebf8761685785f2920ade4ee4eb343afc15831a70fc71bfe5220f56447780239150c639f