Analysis Overview
SHA256
b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805
Threat Level: Known bad
The file b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805 was found to be: Known bad.
Malicious Activity Summary
Stealc
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Checks BIOS information in registry
Identifies Wine through registry keys
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Browser Information Discovery
System Location Discovery: System Language Discovery
Modifies registry class
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 15:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 15:42
Reported
2024-08-17 15:45
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000001001\199c79b9b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\e4cfdd17bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000003002\896b55c70c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\199c79b9b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\199c79b9b2.exe" | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 808 set thread context of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1436 set thread context of 4476 | N/A | C:\Users\Admin\AppData\Local\Temp\1000001001\199c79b9b2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3876 set thread context of 4208 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\e4cfdd17bd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svoutse.job | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000001001\199c79b9b2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\e4cfdd17bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1000003002\896b55c70c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe
"C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2284,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe"
C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe
"C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Users\Admin\AppData\Local\Temp\1000001001\199c79b9b2.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\199c79b9b2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\e4cfdd17bd.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\e4cfdd17bd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\1000003002\896b55c70c.exe
"C:\Users\Admin\1000003002\896b55c70c.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac500ca4-b1cb-46a0-8d5e-e0916666a01b} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25870280-ddb9-4e30-bfb0-9546e6b8911d} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3004 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecb915a9-3a6d-461f-baa0-3ec7f82ed723} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50eab677-03ca-4852-a5fd-4ee449824ee5} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4896 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {792254ac-3392-4d6b-a342-887d0ef34bcc} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 3648 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be8f6446-5eed-46dc-b60b-860509db2000} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5392 -prefMapHandle 5400 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0184020-5618-4fb7-a733-c78bdd10f4d8} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5600 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88c33b64-f344-430c-bfb3-c970ac7a896f} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 6296 -prefMapHandle 6292 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbff93dd-e9d0-49a6-928d-7c03436553e1} 2472 "\\.\pipe\gecko-crash-server-pipe.2472" tab
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.215.113.13:80 | 185.215.113.13 | tcp |
| US | 8.8.8.8:53 | 13.113.215.185.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| N/A | 127.0.0.1:50024 | tcp | |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| NL | 108.177.127.84:443 | accounts.google.com | tcp |
| NL | 108.177.127.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| NL | 108.177.127.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 84.127.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.249.226.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| FR | 216.58.214.174:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| FR | 216.58.214.174:443 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 142.250.201.174:443 | play.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 174.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.20.217.172.in-addr.arpa | udp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| N/A | 127.0.0.1:50032 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r3---sn-4g5edn6k.gvt1.com | udp |
| DE | 74.125.111.136:443 | r3---sn-4g5edn6k.gvt1.com | tcp |
| US | 8.8.8.8:53 | r3.sn-4g5edn6k.gvt1.com | udp |
| US | 8.8.8.8:53 | r3.sn-4g5edn6k.gvt1.com | udp |
| DE | 74.125.111.136:443 | r3.sn-4g5edn6k.gvt1.com | udp |
| US | 8.8.8.8:53 | 136.111.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| FR | 142.250.201.174:443 | play.google.com | udp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| NL | 108.177.127.84:443 | accounts.google.com | udp |
| NL | 108.177.127.84:443 | accounts.google.com | tcp |
Files
memory/808-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/808-1-0x00000000006A0000-0x00000000006D8000-memory.dmp
memory/3748-3-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3748-6-0x0000000000400000-0x0000000000643000-memory.dmp
memory/808-7-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3748-8-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3748-9-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/808-63-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3748-64-0x0000000000400000-0x0000000000643000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\RoamingFCFHJKJJJE.exe
| MD5 | 19d4b831e5dd11605dedad6373ca39b8 |
| SHA1 | 5b6058633e97812425c3d02b35478d3a03c27188 |
| SHA256 | 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060 |
| SHA512 | 872d63031169322a829b766a452abae14f38ad9618bb0a52aaa8079ab178cb659a6de03446767f72762dabb6738e050daa3d68f9f8053be8b35e7dac58add9e9 |
memory/376-100-0x0000000000490000-0x0000000000937000-memory.dmp
memory/3748-101-0x0000000000400000-0x0000000000643000-memory.dmp
memory/376-102-0x00000000776D4000-0x00000000776D6000-memory.dmp
memory/376-103-0x0000000000491000-0x00000000004BF000-memory.dmp
memory/376-104-0x0000000000490000-0x0000000000937000-memory.dmp
memory/376-105-0x0000000000490000-0x0000000000937000-memory.dmp
memory/1228-117-0x0000000000480000-0x0000000000927000-memory.dmp
memory/376-119-0x0000000000490000-0x0000000000937000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000001001\199c79b9b2.exe
| MD5 | 21f570b2a3b04bc8c2d031c296413458 |
| SHA1 | 72c65436b31fe8d27c00eca9acf9590c7d6fd222 |
| SHA256 | a4fc1e5a680d5701279a61ada37dc8b19d302c7113e70324caba4156a0f9c2ea |
| SHA512 | d0cfc5dfb6d34ad66db0ffc469ea1276f60fe87a58e307e7e2ce887c37413bb09a5fec4b425f4bfef4b8a3a4e6da70e2434f8424797e38bd40fdc1604a8ae874 |
memory/1228-139-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-137-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1436-140-0x0000000000650000-0x0000000000780000-memory.dmp
memory/4476-142-0x0000000000400000-0x000000000052D000-memory.dmp
memory/4476-144-0x0000000000400000-0x000000000052D000-memory.dmp
memory/4476-146-0x0000000000400000-0x000000000052D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\e4cfdd17bd.exe
| MD5 | ffe249f6034df758cb53f8ff9a3ebee2 |
| SHA1 | 3fc5462ba4caad758cc51823700168cacaa0cf91 |
| SHA256 | b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805 |
| SHA512 | 627e5dd507c6380001ad05134e11bb239433e9d1d48b7d9e4ea3de7bf231a723af7b231e59bd0c500f44b49633c1b6300b9bf5130b5dc24e79cc5bcb8889b92a |
C:\Users\Admin\1000003002\896b55c70c.exe
| MD5 | 278ee1426274818874556aa18fd02e3a |
| SHA1 | 185a2761330024dec52134df2c8388c461451acb |
| SHA256 | 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb |
| SHA512 | 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0 |
memory/3956-184-0x0000000000EB0000-0x00000000010F3000-memory.dmp
memory/3956-185-0x0000000000EB0000-0x00000000010F3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js
| MD5 | e0152e6cbbe2c57e0afa4ad934fb296c |
| SHA1 | 2a149343f4500af77b7bc83bc1247de3856b7bdd |
| SHA256 | 02f3f9070c900f0ea72a33b3fc9e9355178ee064cdeb00dc2ef114e3cf04fd53 |
| SHA512 | 418e34e88d9b201762559c436e787838145261c9a07d424eb7fb46b98e30ebb302fab23ea99a7308954998ef053e4211d482051a8a43e537d87f1676083dc2c4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\07a2ac6f-6c96-4ead-a735-28d9cbd43217
| MD5 | 18a4d37d92d5bd15c8292bd0e35e9ff1 |
| SHA1 | 905cc245f360ef5055d2fc75aeb16b1a7bf681f0 |
| SHA256 | 82eea5b38662548710e887ff8ca5375bd96d5a43dfc74afbfe0cad33dbd3939b |
| SHA512 | 4018c42fee0ca809564195112627302c4f2f5dbfbea2dc12f864726e42c66dd2e23549a7f09ef3f46ac98c9e239631bc5d40ea0d07a481c8a56e620a7c40d1ff |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\b6192598-5521-4e1d-a4da-f420729503b8
| MD5 | c3e11b62afee3c9cc2f902408d06fc07 |
| SHA1 | d623f63e8f4e95cda61456da5ff56dab3994dd4e |
| SHA256 | 2c7daa2e3c8c305c762bb4c355c23fa625b14e9d2306f33ef67daddc68efdbe4 |
| SHA512 | 6ff0f50738630230975645f172cb974ed0c921a70e3105d5c88ecdddb90f829b48346970b720cc517ec278718c3d2ae76a23702a94d0ee8a51aa4fda7c10721a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\3df652c7-0c55-4d43-a0dc-c8a0db5a7756
| MD5 | df2bac2322c6a2814bca9c53efc89f86 |
| SHA1 | e847f5dd77e6be3264f21fc3e7a97bfbb97bd6db |
| SHA256 | 27669da3789e71a1b7cec83c3e729e6622098054a718efc93fb2ab1d2312253c |
| SHA512 | d4f6c3de5a9c7197a11d5ac0b697bdc890edb5de0adab36a831a70d585afd54c9b2a11f516530300fbf26b43fc6479f432aab79449e9021945462ca67bd0f105 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 7bb2f850a5e56078e498c5c4a549ff67 |
| SHA1 | 11cd2b36ee651dba4606a523f2350ccf5c96d110 |
| SHA256 | ed70acfc44712e01a7d6c236ae80a2d3d4f50780c3f8c33ba451f654dd21e232 |
| SHA512 | 281b486f5a2a4676301e9f747730575b34061fb0a818c2e033d173f74b70428907b67def934fc2f941b79857cf0e1a531fb1d168b43aa26e54860ac3457ed509 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5ea852f4c4437cc376fae74ae3f3bc9b |
| SHA1 | 8cd42772fd867de8d0ced94cafb610430c5c45de |
| SHA256 | 7f29d30e926dd01e1354010ee864bb9d37139747c93a354cf4d373fe2450e81f |
| SHA512 | 198259f6a65d383547359df4c5706f008d252ab9e52c7c5708efea937ae80e4024acf0dadecef07f08a0900ab6e2430839c08063e23790c5ed666a44b7588258 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js
| MD5 | 82078b42a26a5dbee90861181e0318d4 |
| SHA1 | 2a0364dcad6963825b6169552a04e61aae708c7d |
| SHA256 | 6b017b5e3ed7afb2a4d62bede15f3fe8df77d6b2f586c23a95d68de147568919 |
| SHA512 | aae071cf943418da117799964d629f18baca6c26b307791ceb1bfc2d478f893d5417f2c82cfedaef8a89eefe6b2e596ebeddf202fba0e8d6d3097ac8bfed9524 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3
| MD5 | 9cbfc56d1377f448e68723dd2b04262f |
| SHA1 | bc08a69a3dd16f8d519bfd40ac21616dbbd5e6a8 |
| SHA256 | 1e50c829d7a9dc5ace0dff31c0e51467661c7d8d43d6df0667e832b0c9cb0a49 |
| SHA512 | e1137832a36c9ccd3b79e06b203f098b46a20c6cf374404025327ac6474e5c3e5f958378f4d9038735147c603492d0a64fd86bfd1e8f6d047124c12ab76b2c52 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
| MD5 | de204724b8d67a8b351a2d6552ab1554 |
| SHA1 | 7f9de5f75d33373d620b732ba40427efe6da2cc9 |
| SHA256 | 95f815fa52cd809a6d7124484f5b7870721556c23c1290939a4ab73712dc0639 |
| SHA512 | 908addc4c41e0f1f3952f7d40d9e18153e737549a923c1f796914423757f85a0a2d42bec34815b4eb315242635319f4cb19e32a983009bb669c22fea9b92ed77 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js
| MD5 | bb4d67aa5356f6e64654a6f86d42b153 |
| SHA1 | 1b28fe0d7718060d1bf9adf017a340bf0e5275d7 |
| SHA256 | 23f0e7cdfaa741b2e6fd17d9d55470419dc3cb670eb965b031df99a5cbd30b44 |
| SHA512 | 003cff57eacb5fb5a8bf1509f0fb6acd5d8057f5cbcc234d83d57c17eb88380b260c970b056069c1deca00e93f6127a97d4a630b681f6295b75033fe9c09a7c3 |
memory/1228-536-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-555-0x0000000000480000-0x0000000000927000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5193ded7b3d5fb92f9caeafa2c632c6e |
| SHA1 | 1a504df42796a5163607b6677c2ea3a5e3fd6eb6 |
| SHA256 | c43d32f13894714b84a236b7069be116841ca07e74af075703d30788a0f5bb3a |
| SHA512 | 12a7a017ecb1996607b397156582f4b49d2555828a296a0f7f9aedd5c62c38f5839d962ebcb4812c07c25a7f1240a31297a7487d06e06d77e6226db545c96262 |
memory/1228-592-0x0000000000480000-0x0000000000927000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js
| MD5 | 4fff70cb8dfdd406fb85eacba81cc202 |
| SHA1 | 30318889049a5af66bb0b9fabc1be5ac1ca1e567 |
| SHA256 | 1f69919126518d8426c14bfb730bf92431935ed3b5f82b095813d3e9faae707f |
| SHA512 | ce841d85f636ae89f80ec8634768909513f8a7e66dde8236251a7ecdfa95f7d0e0cca74fe3dd07be39f713d2f80e7b6a8c31eed365fa57f486fb2c0fa98bf511 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
| MD5 | 7327782696ea84d3dc4777b2eee752c3 |
| SHA1 | 2a10649323f60ae72b652d824a1a787f5652737a |
| SHA256 | 53350c2053e6a7cbbc150a4bea42fccd00e887805bb563032d1a15ac44c3c918 |
| SHA512 | e433b3f45b10920ee39cf73b9eea8e254e6e156e3e69d684e8d4082de8d17bda588cbab1e12c0e2a3ac7a9fd46de84965f13c1c5aaa787ae3d63df19b9895867 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 9cfe4d16a8fc5b605eab93a5673dd38c |
| SHA1 | 3c707a174ebaee1ab0bb4a499b15204c6381229b |
| SHA256 | 15bbeafa17fee29e3355f8adcae0ee37642561f430b96a6459c8cf9ef39f1598 |
| SHA512 | 853244ebe4b965e6e6a7f1ca8b451bb7981014f08fdae36f64ec088bc3a93f5c05b1ef45ccf782d258443801129668d24784bca8f80bb13553efb0862d5fc3f1 |
memory/6140-682-0x0000000000480000-0x0000000000927000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | efe35d17bd9a83baac8ab1269816ed61 |
| SHA1 | b006993d7f5a7b90ac793972491f5a8d49ff807b |
| SHA256 | e30e2008c5e8be3942d76d39f317313c97c2af67d6c01987f77e3f5249f5e642 |
| SHA512 | be665831a9ee6647fd4adeb67dcb24c4df9aa6ffd64809f7fa3e1c3e580f956266905a446012a86f5868137f50fd2d2441f86d975289234649502c7fe1ed30a1 |
memory/6140-717-0x0000000000480000-0x0000000000927000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js
| MD5 | e6ad0be2a95cc60a5f39fee180cc4163 |
| SHA1 | a7d2b4f9edf000686043504e1409b4f41ec69030 |
| SHA256 | aae66b8528042a1d5c7d08eda4ca369183f39d143cc20e787875993445a0276f |
| SHA512 | f9743215fe53151e3bb5861b658500cf77bd3a21bf557c7b647beceebcaa1484822cae779be13d965375daa618f169376bb6883a0115c7b726d866d1cc98abfe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 34e496a7b6a99a002090d78e9ecd1e73 |
| SHA1 | 7900e65b8bbf3eaeda0ecd11c458d45b67ccf41b |
| SHA256 | 36255d6712c2d9d71f5128107ab9a98bd4c1c14eefa020ee1c5ed1f614fb6db3 |
| SHA512 | 313d9b00c2c5b3659a1d5b0ded330255912ad50286c6c840b1e14f50c1f203378c00e1f01b5fc3d9f59f6c2d24503610a88d79076d7f332e6351f5cab06437e4 |
memory/1228-1039-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-2184-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-2920-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-3333-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-3337-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-3338-0x0000000000480000-0x0000000000927000-memory.dmp
memory/5528-3340-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-3341-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-3342-0x0000000000480000-0x0000000000927000-memory.dmp
memory/1228-3343-0x0000000000480000-0x0000000000927000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 15:42
Reported
2024-08-17 15:45
Platform
win11-20240802-en
Max time kernel
91s
Max time network
101s
Command Line
Signatures
Stealc
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4916 set thread context of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe
"C:\Users\Admin\AppData\Local\Temp\b542b28a1cb65fb8a4c26dae8dee7dca7414ae4042f98e37db95a11504ff5805.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 100.113.215.185.in-addr.arpa | udp |
Files
memory/4916-0-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/4916-1-0x0000000000EF0000-0x0000000000F28000-memory.dmp
memory/2776-6-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2776-3-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2776-8-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4916-7-0x00000000749C0000-0x0000000075171000-memory.dmp
memory/2776-9-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4916-10-0x00000000749C0000-0x0000000075171000-memory.dmp