Malware analysis https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmandrillapp.com%2Ftrack%2Fclick%2F30476375%2Fwww.nasgp.org.uk%3Fp%3DeyJzIjoicTJ2S1FVNzFqNmVhRkJYdnBEMG1hZk9HZk1nIiwidiI6MSwicCI6IntcInVcIjozMDQ3NjM3NSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5uYXNncC5vcmcudWtcXFwvZXNwaXBcXFwvbWFuYWdlX2ludm9pY2VzLnBocFwiLFwiaWRcIjpcIjBmYTA5Y2Y5NjdlODQ2N2RhMzg4YmFlYzlmMzBiOGQ4XCIsXCJ1cmxfaWRzXCI6W1wiYzk0NTZjODJlNGE4OThjM2RjMzg1MTY3OWIzOTYyYmFhNjA0MDdiM1wiXX0ifQ&data=05%7C01%7Cp.manager3%40nhs.net%7Cf145e54fab564d990da608db3fd85ede%7C37c354b285b047f5b22207b48d774ee3%7C0%7C1%7C638173970768515601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=HAAdfZ1lOFYt2ieo%2FdE0OFrzrvfLQmyFQyr9g4GGWo4%3D&reserved=0 Malicious activity

Add for printing

URL:	https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmandrillapp.com%2Ftrack%2Fclick%2F30476375%2Fwww.nasgp.org.uk%3Fp%3DeyJzIjoicTJ2S1FVNzFqNmVhRkJYdnBEMG1hZk9HZk1nIiwidiI6MSwicCI6IntcInVcIjozMDQ3NjM3NSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5uYXNncC5vcmcudWtcXFwvZXNwaXBcXFwvbWFuYWdlX2ludm9pY2VzLnBocFwiLFwiaWRcIjpcIjBmYTA5Y2Y5NjdlODQ2N2RhMzg4YmFlYzlmMzBiOGQ4XCIsXCJ1cmxfaWRzXCI6W1wiYzk0NTZjODJlNGE4OThjM2RjMzg1MTY3OWIzOTYyYmFhNjA0MDdiM1wiXX0ifQ&data=05%7C01%7Cp.manager3%40nhs.net%7Cf145e54fab564d990da608db3fd85ede%7C37c354b285b047f5b22207b48d774ee3%7C0%7C1%7C638173970768515601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=HAAdfZ1lOFYt2ieo%2FdE0OFrzrvfLQmyFQyr9g4GGWo4%3D&reserved=0
Full analysis:	https://app.any.run/tasks/d6e048c7-4522-4981-8e59-6f6b15c406c3
Verdict:	Malicious activity
Analysis date:	April 27, 2023, 11:11:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MD5:	B2ABE181CFC03AA3BA07E66161E1A228
SHA1:	18C0E0A84CD838EF69350E85C7D010C26BE633CE
SHA256:	29F1BAA4C6B920200668C0FED83B9201078514733B94C837D5DCBBB1DA1DFDEA
SSDEEP:	12:23qxDRWTjE+E91cPYMhYnw9y5Y63UwHZT56ek887rxKP7RPCkpPdf/:23qZoTjE1cPl591VwLt8fwP75pPdf/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat Reader DC (20.013.20074)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30704 (14.30.30704)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
Opera 12.15 (12.15.1748)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - firefox.exe (PID: 5000)
  - firefox.exe (PID: 3788)
- The process checks LSA protection
  - slui.exe (PID: 508)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 3788)
- Create files in a temporary directory
  - firefox.exe (PID: 3788)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

508

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

1208

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.8.1635384465\109801512" -childID 5 -isForBrowser -prefsHandle 4924 -prefMapHandle 5552 -prefsLen 28177 -prefMapSize 237145 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfb16fd3-24dd-4645-b6d3-fc09211edcc6} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 5352 21587e65258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2088

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.18.1590331625\1877965024" -childID 14 -isForBrowser -prefsHandle 7648 -prefMapHandle 5688 -prefsLen 30362 -prefMapSize 237145 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {487c04b7-96ca-4266-9281-5d5c1dc044bc} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 3204 21580ea7858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2616

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.15.1960076827\1479775738" -childID 11 -isForBrowser -prefsHandle 7056 -prefMapHandle 2860 -prefsLen 30362 -prefMapSize 237145 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afc85e2b-b03e-49e8-aa0f-1cafa0e00d52} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 6084 2158ba9dd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2620

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.11.1991944567\946176540" -childID 8 -isForBrowser -prefsHandle 10048 -prefMapHandle 7240 -prefsLen 29334 -prefMapSize 237145 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c00896a2-2aba-4a74-80a7-98f057708dcc} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 8116 2158ca52b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

2812

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.2.1222680548\394181234" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3128 -prefsLen 22811 -prefMapSize 237145 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbda1850-ce33-4871-8fa0-8ddb59662629} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 3140 21572f96758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3292

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.12.1147846171\212177927" -childID 9 -isForBrowser -prefsHandle 7112 -prefMapHandle 7116 -prefsLen 30180 -prefMapSize 237145 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e7014a8-9057-41ac-9899-88bab93599da} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 7120 2158ba9e058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3464

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.17.128164910\964271695" -childID 13 -isForBrowser -prefsHandle 8052 -prefMapHandle 7704 -prefsLen 30362 -prefMapSize 237145 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230321111920 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f16a60ef-0674-4eec-8081-4c0f859e6bd3} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 9856 2158349aa58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3488

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3788.14.2078320008\33711431" -parentBuildID 20230321111920 -sandboxingKind 1 -prefsHandle 7936 -prefMapHandle 7616 -prefsLen 33430 -prefMapSize 237145 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1d2af71-3f96-407c-8810-37ef03393183} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" 7756 21584f49b58 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3788

"C:\Program Files\Mozilla Firefox\firefox.exe" https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmandrillapp.com%2Ftrack%2Fclick%2F30476375%2Fwww.nasgp.org.uk%3Fp%3DeyJzIjoicTJ2S1FVNzFqNmVhRkJYdnBEMG1hZk9HZk1nIiwidiI6MSwicCI6IntcInVcIjozMDQ3NjM3NSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5uYXNncC5vcmcudWtcXFwvZXNwaXBcXFwvbWFuYWdlX2ludm9pY2VzLnBocFwiLFwiaWRcIjpcIjBmYTA5Y2Y5NjdlODQ2N2RhMzg4YmFlYzlmMzBiOGQ4XCIsXCJ1cmxfaWRzXCI6W1wiYzk0NTZjODJlNGE4OThjM2RjMzg1MTY3OWIzOTYyYmFhNjA0MDdiM1wiXX0ifQ&data=05%7C01%7Cp.manager3%40nhs.net%7Cf145e54fab564d990da608db3fd85ede%7C37c354b285b047f5b22207b48d774ee3%7C0%7C1%7C638173970768515601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=HAAdfZ1lOFYt2ieo%2FdE0OFrzrvfLQmyFQyr9g4GGWo4%3D&reserved=0

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

111.0.1

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

Add for printing

Total events

36 930

Read events

36 916

Write events

Delete events

Modification events


(PID) Process:	(5000) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	delete value	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: 3B0DF08701000000
(PID) Process:	(5000) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	delete value	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 1B70F08701000000
(PID) Process:	(3788) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Progress
Value: 0
(PID) Process:	(3788) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 1
(PID) Process:	(3788) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(3788) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 1
(PID) Process:	(3788) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableDefaultBrowserAgent
Value: 0

Add for printing

Executable files

Suspicious files

457

Text files

118

Unknown types

Dropped files

PID	Process	Filename		Type
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\webappsstore.sqlite-wal		—
		MD5:—	SHA256:—
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\permissions.sqlite-journal		binary
		MD5:B9FAD2099472D85952BAE986988F7F69	SHA256:BFB184E92A02345C74D37996BE275B29652B4549D360D98F4F64FDA4E2F62BB2
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\ls-archive-tmp.sqlite-journal		binary
		MD5:6D19EA1DC584EF7F548293563F4359BD	SHA256:C1AEB04792049E1FF7D41318FBBCA4CB7D30E713B2D10D7D348838302F16D223
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\ls-archive-tmp.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3788	firefox.exe	C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.json		binary
		MD5:58728D2E9D553BB2369BDB4A618ACAE5	SHA256:7EBC652A4B5B43608F61AC1057C51EC2EC1C8E33BBEB130794E15AF72BEB42E8
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.js		text
		MD5:374790A733B5C083A3CABB939B8DD823	SHA256:A1CE417F44E8833D9583634C095B2D65869B4D6B34EB85DBDAAC83779456031B
3788	firefox.exe	C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json		binary
		MD5:73FB7EE28411CA10ABCF6CBA977D101E	SHA256:849D46105AEB4CAFCF5E3B9ED655D08AFDCC82E60AF3460FE316792292AAE1AA
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.js		text
		MD5:374790A733B5C083A3CABB939B8DD823	SHA256:A1CE417F44E8833D9583634C095B2D65869B4D6B34EB85DBDAAC83779456031B
3788	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20230321111920		text
		MD5:5C0F02406ABD1A7F9400EA8E0B731E72	SHA256:D9818E768B325DA54F231E7EE66376B01E6F81DCB43809BFB50AC463455D210A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

147

DNS requests

222

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3788	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	text	90 b	whitelisted
3788	firefox.exe	POST	200	2.16.241.8:80	http://r3.o.lencr.org/	unknown	binary	503 b	shared
3788	firefox.exe	POST	200	13.32.113.9:80	http://ocsp.r2m02.amazontrust.com/	US	der	471 b	whitelisted
3788	firefox.exe	POST	—	172.217.18.3:80	http://ocsp.pki.goog/gts1c3	US	—	—	whitelisted
3788	firefox.exe	POST	200	172.217.18.3:80	http://ocsp.pki.goog/gts1c3	US	binary	471 b	whitelisted
3788	firefox.exe	POST	200	2.16.241.8:80	http://r3.o.lencr.org/	unknown	binary	503 b	shared
3788	firefox.exe	POST	200	2.16.241.8:80	http://r3.o.lencr.org/	unknown	der	503 b	shared
3788	firefox.exe	POST	200	2.16.241.8:80	http://r3.o.lencr.org/	unknown	der	503 b	shared
3788	firefox.exe	POST	200	2.16.241.8:80	http://r3.o.lencr.org/	unknown	binary	503 b	shared
3788	firefox.exe	POST	200	2.16.241.8:80	http://r3.o.lencr.org/	unknown	der	503 b	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3788	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
3788	firefox.exe	34.117.237.239:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	suspicious
5952	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	suspicious
5756	svchost.exe	40.126.32.76:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3788	firefox.exe	104.47.20.28:443	gbr01.safelinks.protection.outlook.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown
3788	firefox.exe	52.44.135.59:443	spocs.getpocket.com	AMAZON-AES	US	unknown
3788	firefox.exe	35.241.9.150:443	firefox.settings.services.mozilla.com	GOOGLE	US	suspicious
3788	firefox.exe	35.201.103.21:443	normandy.cdn.mozilla.net	GOOGLE	US	unknown
3788	firefox.exe	2.16.241.8:80	r3.o.lencr.org	Akamai International B.V.	DE	suspicious
3788	firefox.exe	142.250.186.42:443	safebrowsing.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
gbr01.safelinks.protection.outlook.com	104.47.20.28 104.47.21.28 2a01:111:f400:7e15::1a 2a01:111:f400:7e14::1a	whitelisted
contile.services.mozilla.com	34.117.237.239	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
example.org	93.184.216.34	whitelisted
spocs.getpocket.com	52.44.135.59 54.166.225.128 3.210.193.78 54.152.110.245 54.165.39.203 3.218.246.95 3.226.113.135 50.16.121.128	shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com	50.16.121.128 3.226.113.135 3.218.246.95 54.165.39.203 54.152.110.245 3.210.193.78 54.166.225.128 52.44.135.59	shared
firefox.settings.services.mozilla.com	35.241.9.150	whitelisted
normandy.cdn.mozilla.net	35.201.103.21	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

B2ABE181CFC03AA3BA07E66161E1A228

18C0E0A84CD838EF69350E85C7D010C26BE633CE

29F1BAA4C6B920200668C0FED83B9201078514733B94C837D5DCBBB1DA1DFDEA

12:23qxDRWTjE+E91cPYMhYnw9y5Y63UwHZT56ek887rxKP7RPCkpPdf/:23qZoTjE1cPl591VwLt8fwP75pPdf/

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

The process checks LSA protection

Reads Microsoft Office registry keys

Create files in a temporary directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings