Malware Analysis Report

2024-10-19 07:42

Sample ID 241014-yd535asfrb
Target meshagent32-mesh.exe
SHA256 c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c
Tags
mesh meshagent discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c

Threat Level: Known bad

The file meshagent32-mesh.exe was found to be: Known bad.

Malicious Activity Summary

mesh meshagent discovery

Detects MeshAgent payload

Meshagent family

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 19:41

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

Meshagent family

meshagent

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 19:41

Reported

2024-10-14 20:20

Platform

win10v2004-20241007-en

Max time kernel

1724s

Max time network

1152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4132 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4132 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4132 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4596 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4172 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe

"C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SyncRestart.docx" /o ""

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd69d14-f492-40bf-a246-bd0cee62f055} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {929a8287-d87c-429a-9895-01b5802ad0dc} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3188 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c3555a-f67b-4b2f-9c00-ffdbbeaa0fd0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4248 -childID 2 -isForBrowser -prefsHandle 4240 -prefMapHandle 2712 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc197ed2-47b4-469b-aab2-2eb58ec9d6f9} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fcd362f-3703-42d2-9132-f5f21935ddf4} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a202bc2-5b20-4fbe-9475-7db73e22c2ef} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a0577b1-c7fd-45b0-b297-b6ca43512971} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc803fd-200d-46a4-9f55-e6547ffca931} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 6 -isForBrowser -prefsHandle 5892 -prefMapHandle 5644 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37be502c-627b-4ce9-8809-23acc1d19a78} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -parentBuildID 20240401114208 -prefsHandle 6248 -prefMapHandle 6256 -prefsLen 29357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4522765e-71fe-4d54-a6ef-cc2740b2e830} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6244 -prefMapHandle 6252 -prefsLen 29357 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723c157d-df65-498d-af78-111d906860ab} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6608 -childID 7 -isForBrowser -prefsHandle 6628 -prefMapHandle 6008 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b4b168-c8d4-4434-8cb1-2edbd97cf8c0} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6596 -childID 8 -isForBrowser -prefsHandle 6780 -prefMapHandle 6788 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b386081-2360-48d1-98fd-9a3fb2efd8e2} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
N/A 127.0.0.1:58571 tcp
N/A 127.0.0.1:58579 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 5.161.26.52.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.200.22:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.200.22:443 i.ytimg.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 22.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-ntqe6n76.googlevideo.com udp
AU 173.194.28.6:443 rr1---sn-ntqe6n76.googlevideo.com tcp
AU 173.194.28.6:443 rr1---sn-ntqe6n76.googlevideo.com tcp
US 8.8.8.8:53 rr1.sn-ntqe6n76.googlevideo.com udp
US 8.8.8.8:53 rr1.sn-ntqe6n76.googlevideo.com udp
US 8.8.8.8:53 rr1---sn-ntqe6n76.googlevideo.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.28.194.173.in-addr.arpa udp
GB 172.217.16.238:443 play.google.com udp
AU 173.194.28.6:443 rr1---sn-ntqe6n76.googlevideo.com tcp
AU 173.194.28.6:443 rr1---sn-ntqe6n76.googlevideo.com tcp
AU 173.194.28.6:443 rr1---sn-ntqe6n76.googlevideo.com tcp
AU 173.194.28.6:443 rr1---sn-ntqe6n76.googlevideo.com tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/5056-4-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-3-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-2-0x00007FFC10C6D000-0x00007FFC10C6E000-memory.dmp

memory/5056-1-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-6-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-5-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-12-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-14-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-13-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-11-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-15-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

memory/5056-10-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-17-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-16-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-9-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-8-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-7-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

memory/5056-18-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 2f4085bcde8cc8001a0c66e1b3fa2c21
SHA1 5277d356def60a3af5c2889e2d03a127e56a2ce9
SHA256 da7c119ee3a61455ecf58770ede1961fd5cb34a3628fd4c6026e838a90addfae
SHA512 a965d37d91b348cc981102bcb15c1516daf3cb17f73b2ba74e6b4f009d26f0f8dd4e3d71b388f5fa77792d7fcbef17d4898012b60a45ecb1209c2fd94cf13d37

memory/5056-59-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-62-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-60-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-61-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

memory/5056-63-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\775b80d4-9596-41f6-bee8-ed0c1eea47f1

MD5 6450f9dd849a6abd0f0bedbaec41aaab
SHA1 c32316a081fa16a98f886263e90aa58bdbd9249a
SHA256 7a290f9dbebcb32e601c85791652c25b71ba4cd42353234f0180ea1c59615fee
SHA512 10f451eecd82f4ca50281fa0d87ffcd60440a250edd3cb54f092a6af60b5cf89983c1c65eea9272e548b8ea8b7c006ddb73dfd30210d66af908c963e6e0db365

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\f5259a18-7aed-436a-bdc2-97212ea1887f

MD5 17561f7c0d8b95194834990415334c07
SHA1 8a9a755db1f6b758e0fb20933cd4d25c4c03fab2
SHA256 cc6e0ca5e7793dbb4740097b1f55ef9e85e8d3578b0a82158d181b758ea9e687
SHA512 e4f2a774b6b65fe323d3b5cea4a1b97023e87f5a61c081361c609d4442c2f6e980debc28bd354f169881a659b295fd6c43988121eb45d609098e286db2072b20

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\11670282-128a-4903-83d5-70b7b7331a2d

MD5 449f8fbfb92c9980fbb62de03dd433bb
SHA1 ebc7e8312c7c559b6afa0feba720d33c0278b232
SHA256 21c81de8e21c98b39c04a1cb606dee84997554b65abac4478d10363c42fb7eb8
SHA512 ee0ceddcbdd25c7a876775887f8864dbdbe6d0fbd533411a694193b64e4e813e72a0eecacf7867c513a09e938ab86080aa79b266a3e3b4a43ef041170354fab2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

MD5 8fa964548c7a9648ac35813f1474c452
SHA1 87c92d180059e475826ff69c8f97057e1cabe3b6
SHA256 b32d066668cdd56ce3640f63013cc6cac8a91540d258179644b3bbae4f007c2a
SHA512 374a8c16cbf0be9921c5cc46ed52b4849acb6d7c83dbcf21c14c4bfb09544e00c872fd541f927a44d5988deef8ed6d3879cde9319b7c23e29286265d6188ace0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

MD5 c251f2a5094d1c61a7ad1b1761c3980b
SHA1 4873380573a78b3869ce64257d5f310b78366265
SHA256 ac7617133a8fcc840516c0b20a784c71ae36335dab9f5552468d72bfdcc2e344
SHA512 1302b6aefa036425175e7e5c779238643c6cc6bd892cda672dec14b5b99af0d3912b180b4af4c7e5e53fc6a352b5162f41666b0942e357a1b1a63cb2de5c8025

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json

MD5 cdd138c50a19cfbc6241c9aa610216c8
SHA1 f97ac324758a2b4b8a67d95f0976110e34459bfb
SHA256 a0db5b6686d5e49be5b41ed8b28fd98151272b96e79e36aeeeeb8e7ca53379e8
SHA512 cbea2e0f576dfa1825a9d2263da5f1ffc8b672c6270891290636085913e78b00040ac461fe3d2b0dc768a5131232c0c985e71ea649b1ffca0af07293c94b92b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

MD5 2e00c4c63aaeedbca09e5e84f0b06bab
SHA1 4b624fd49d1b755da75fcd87c52b4fcb59b5e80d
SHA256 4662405c126e441f913a1c9369262487d4bc5f8d721fb88e087c6599c74eeeca
SHA512 283bf2c11d278742037a23a863e8a2059b3a410352ab1ce48bdbfa1fc3fa05eedf0a2519a5063f37a9b40968e33b0d819a66d45bb354019ca01e2a18af1b0e12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

MD5 8034bc285ad243194db4938c4607ff4e
SHA1 6ce6e6b96031df7bca239ff2ec362b7e351af5ed
SHA256 68bf6f78fc93dcd66bee61b7b84b5f9d22fa190a52c0e3c65bb63626d59f4bc6
SHA512 cf3985e1fff069711d49ee46177323c74e07dd2a8e01dbfe8968f9d5495795abf46774b4ab01ea980b0796b7eb36699cc54f9421aef01f2fc4799163efc1df8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\cache\morgue\215\{b8341a55-e61c-4684-b693-b6404be9c5d7}.final

MD5 2a252393b98be6348c4ba18003cc3471
SHA1 40f75302fcbe4a8ac2e33a8d9daf801abc2a9598
SHA256 04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee
SHA512 07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\default\https+++www.youtube.com\idb\1854707665yCt7-%iCt7-%r5ees6p2o.sqlite

MD5 aacd22420c25dfac1d89d63129a34a56
SHA1 ea8161cf0e68ef70092e9dabb9908d1791a175e5
SHA256 70db4f9fcc68b7cd632a487f3e410ee6909c6e9de3ff5d41e0b12b081da9acfe
SHA512 681448c10fd2d6e450b6f1c91fa249d1ab5d3dff5d8b15c04fc80b34a94122bf2e87fd28500234133f85f3848cf91a980e6a7980ee8af0d79a4e63d9cb89b146

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

MD5 18e69e4eb7db9a79bf44a9332cc70f03
SHA1 a73ec112a74e322f2254fc865ddeeaa6ff89dd81
SHA256 a5857af4e31940d81f0f6a3de1df68b61286f657a1f892bacbcc560f01fd619e
SHA512 c5a9671d7ff30af99554e8f6b3ce64a9222b7fd6e2a40e9c4d8b010c62aa2f568a65e27557302372aa976586f894d4412a25a31d2e74cfd0b4dd76334bc9ebef