Analysis Overview
SHA256
c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c
Threat Level: Known bad
The file meshagent32-mesh.exe was found to be: Known bad.
Malicious Activity Summary
Detects MeshAgent payload
Meshagent family
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 19:41
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Meshagent family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 19:41
Reported
2024-10-14 20:20
Platform
win10v2004-20241007-en
Max time kernel
1724s
Max time network
1152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe
"C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe"
C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SyncRestart.docx" /o ""
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd69d14-f492-40bf-a246-bd0cee62f055} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {929a8287-d87c-429a-9895-01b5802ad0dc} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3188 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c3555a-f67b-4b2f-9c00-ffdbbeaa0fd0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4248 -childID 2 -isForBrowser -prefsHandle 4240 -prefMapHandle 2712 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc197ed2-47b4-469b-aab2-2eb58ec9d6f9} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fcd362f-3703-42d2-9132-f5f21935ddf4} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a202bc2-5b20-4fbe-9475-7db73e22c2ef} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a0577b1-c7fd-45b0-b297-b6ca43512971} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc803fd-200d-46a4-9f55-e6547ffca931} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 6 -isForBrowser -prefsHandle 5892 -prefMapHandle 5644 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37be502c-627b-4ce9-8809-23acc1d19a78} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -parentBuildID 20240401114208 -prefsHandle 6248 -prefMapHandle 6256 -prefsLen 29357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4522765e-71fe-4d54-a6ef-cc2740b2e830} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6244 -prefMapHandle 6252 -prefsLen 29357 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723c157d-df65-498d-af78-111d906860ab} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6608 -childID 7 -isForBrowser -prefsHandle 6628 -prefMapHandle 6008 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b4b168-c8d4-4434-8cb1-2edbd97cf8c0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6596 -childID 8 -isForBrowser -prefsHandle 6780 -prefMapHandle 6788 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b386081-2360-48d1-98fd-9a3fb2efd8e2} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:58571 | tcp | |
| N/A | 127.0.0.1:58579 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 5.161.26.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 216.58.201.110:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.200.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.200.22:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr1---sn-ntqe6n76.googlevideo.com | udp |
| AU | 173.194.28.6:443 | rr1---sn-ntqe6n76.googlevideo.com | tcp |
| AU | 173.194.28.6:443 | rr1---sn-ntqe6n76.googlevideo.com | tcp |
| US | 8.8.8.8:53 | rr1.sn-ntqe6n76.googlevideo.com | udp |
| US | 8.8.8.8:53 | rr1.sn-ntqe6n76.googlevideo.com | udp |
| US | 8.8.8.8:53 | rr1---sn-ntqe6n76.googlevideo.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.28.194.173.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | play.google.com | udp |
| AU | 173.194.28.6:443 | rr1---sn-ntqe6n76.googlevideo.com | tcp |
| AU | 173.194.28.6:443 | rr1---sn-ntqe6n76.googlevideo.com | tcp |
| AU | 173.194.28.6:443 | rr1---sn-ntqe6n76.googlevideo.com | tcp |
| AU | 173.194.28.6:443 | rr1---sn-ntqe6n76.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/5056-4-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-3-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-2-0x00007FFC10C6D000-0x00007FFC10C6E000-memory.dmp
memory/5056-1-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-6-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-5-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-12-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-14-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-13-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-11-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-15-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp
memory/5056-10-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-17-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-16-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-9-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-8-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-7-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
memory/5056-18-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 2f4085bcde8cc8001a0c66e1b3fa2c21 |
| SHA1 | 5277d356def60a3af5c2889e2d03a127e56a2ce9 |
| SHA256 | da7c119ee3a61455ecf58770ede1961fd5cb34a3628fd4c6026e838a90addfae |
| SHA512 | a965d37d91b348cc981102bcb15c1516daf3cb17f73b2ba74e6b4f009d26f0f8dd4e3d71b388f5fa77792d7fcbef17d4898012b60a45ecb1209c2fd94cf13d37 |
memory/5056-59-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-62-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-60-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-61-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp
memory/5056-63-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\775b80d4-9596-41f6-bee8-ed0c1eea47f1
| MD5 | 6450f9dd849a6abd0f0bedbaec41aaab |
| SHA1 | c32316a081fa16a98f886263e90aa58bdbd9249a |
| SHA256 | 7a290f9dbebcb32e601c85791652c25b71ba4cd42353234f0180ea1c59615fee |
| SHA512 | 10f451eecd82f4ca50281fa0d87ffcd60440a250edd3cb54f092a6af60b5cf89983c1c65eea9272e548b8ea8b7c006ddb73dfd30210d66af908c963e6e0db365 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\f5259a18-7aed-436a-bdc2-97212ea1887f
| MD5 | 17561f7c0d8b95194834990415334c07 |
| SHA1 | 8a9a755db1f6b758e0fb20933cd4d25c4c03fab2 |
| SHA256 | cc6e0ca5e7793dbb4740097b1f55ef9e85e8d3578b0a82158d181b758ea9e687 |
| SHA512 | e4f2a774b6b65fe323d3b5cea4a1b97023e87f5a61c081361c609d4442c2f6e980debc28bd354f169881a659b295fd6c43988121eb45d609098e286db2072b20 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\11670282-128a-4903-83d5-70b7b7331a2d
| MD5 | 449f8fbfb92c9980fbb62de03dd433bb |
| SHA1 | ebc7e8312c7c559b6afa0feba720d33c0278b232 |
| SHA256 | 21c81de8e21c98b39c04a1cb606dee84997554b65abac4478d10363c42fb7eb8 |
| SHA512 | ee0ceddcbdd25c7a876775887f8864dbdbe6d0fbd533411a694193b64e4e813e72a0eecacf7867c513a09e938ab86080aa79b266a3e3b4a43ef041170354fab2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 8fa964548c7a9648ac35813f1474c452 |
| SHA1 | 87c92d180059e475826ff69c8f97057e1cabe3b6 |
| SHA256 | b32d066668cdd56ce3640f63013cc6cac8a91540d258179644b3bbae4f007c2a |
| SHA512 | 374a8c16cbf0be9921c5cc46ed52b4849acb6d7c83dbcf21c14c4bfb09544e00c872fd541f927a44d5988deef8ed6d3879cde9319b7c23e29286265d6188ace0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | c251f2a5094d1c61a7ad1b1761c3980b |
| SHA1 | 4873380573a78b3869ce64257d5f310b78366265 |
| SHA256 | ac7617133a8fcc840516c0b20a784c71ae36335dab9f5552468d72bfdcc2e344 |
| SHA512 | 1302b6aefa036425175e7e5c779238643c6cc6bd892cda672dec14b5b99af0d3912b180b4af4c7e5e53fc6a352b5162f41666b0942e357a1b1a63cb2de5c8025 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json
| MD5 | cdd138c50a19cfbc6241c9aa610216c8 |
| SHA1 | f97ac324758a2b4b8a67d95f0976110e34459bfb |
| SHA256 | a0db5b6686d5e49be5b41ed8b28fd98151272b96e79e36aeeeeb8e7ca53379e8 |
| SHA512 | cbea2e0f576dfa1825a9d2263da5f1ffc8b672c6270891290636085913e78b00040ac461fe3d2b0dc768a5131232c0c985e71ea649b1ffca0af07293c94b92b7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js
| MD5 | 2e00c4c63aaeedbca09e5e84f0b06bab |
| SHA1 | 4b624fd49d1b755da75fcd87c52b4fcb59b5e80d |
| SHA256 | 4662405c126e441f913a1c9369262487d4bc5f8d721fb88e087c6599c74eeeca |
| SHA512 | 283bf2c11d278742037a23a863e8a2059b3a410352ab1ce48bdbfa1fc3fa05eedf0a2519a5063f37a9b40968e33b0d819a66d45bb354019ca01e2a18af1b0e12 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin
| MD5 | 8034bc285ad243194db4938c4607ff4e |
| SHA1 | 6ce6e6b96031df7bca239ff2ec362b7e351af5ed |
| SHA256 | 68bf6f78fc93dcd66bee61b7b84b5f9d22fa190a52c0e3c65bb63626d59f4bc6 |
| SHA512 | cf3985e1fff069711d49ee46177323c74e07dd2a8e01dbfe8968f9d5495795abf46774b4ab01ea980b0796b7eb36699cc54f9421aef01f2fc4799163efc1df8e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\cache\morgue\215\{b8341a55-e61c-4684-b693-b6404be9c5d7}.final
| MD5 | 2a252393b98be6348c4ba18003cc3471 |
| SHA1 | 40f75302fcbe4a8ac2e33a8d9daf801abc2a9598 |
| SHA256 | 04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee |
| SHA512 | 07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\idb\1854707665yCt7-%iCt7-%r5ees6p2o.sqlite
| MD5 | aacd22420c25dfac1d89d63129a34a56 |
| SHA1 | ea8161cf0e68ef70092e9dabb9908d1791a175e5 |
| SHA256 | 70db4f9fcc68b7cd632a487f3e410ee6909c6e9de3ff5d41e0b12b081da9acfe |
| SHA512 | 681448c10fd2d6e450b6f1c91fa249d1ab5d3dff5d8b15c04fc80b34a94122bf2e87fd28500234133f85f3848cf91a980e6a7980ee8af0d79a4e63d9cb89b146 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js
| MD5 | 18e69e4eb7db9a79bf44a9332cc70f03 |
| SHA1 | a73ec112a74e322f2254fc865ddeeaa6ff89dd81 |
| SHA256 | a5857af4e31940d81f0f6a3de1df68b61286f657a1f892bacbcc560f01fd619e |
| SHA512 | c5a9671d7ff30af99554e8f6b3ce64a9222b7fd6e2a40e9c4d8b010c62aa2f568a65e27557302372aa976586f894d4412a25a31d2e74cfd0b4dd76334bc9ebef |