30423d3ca90c921d2a727b0a5f8c4cec1a63823283b84bb6135c866ce33fa23d

Analysis

max time kernel
52s
max time network
69s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
21/02/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ramengine.dll
Size

1.1MB
MD5

2172263e6f1e7eefb2c54517b1215243
SHA1

0ef23327aa2f0ea7f2c74ba7a90c3fcd03a37238
SHA256

30423d3ca90c921d2a727b0a5f8c4cec1a63823283b84bb6135c866ce33fa23d
SHA512

ccaa6cad97380b4b70ca80b119b04d2d50bb4f1c018c168f185ebf7caaed00f7e8679f2bc898b86a99f9b6ec15d6a4337eaad2a2a03de3e6d71a11d57762dd14
SSDEEP

12288:Y7q8Cmtvv8T/2xkz88j8F7mA2CgVuHjnbbpyqTsziz824xzoxzD9+zNzXXVoyf92:wKEMqxkzvIdTjbbwqT5z8YuXVRf92

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4604	vlc.exe
3728	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4604	vlc.exe
3728	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	firefox.exe
Token: SeDebugPrivilege	832	firefox.exe
Token: SeDebugPrivilege	692	firefox.exe
Token: SeDebugPrivilege	692	firefox.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
4604	vlc.exe
4604	vlc.exe
4604	vlc.exe
4604	vlc.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
3728	vlc.exe
3728	vlc.exe
3728	vlc.exe
3728	vlc.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4604	vlc.exe
4604	vlc.exe
4604	vlc.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
3728	vlc.exe
3728	vlc.exe
3728	vlc.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3676	OpenWith.exe
4604	vlc.exe
832	firefox.exe
3728	vlc.exe
692	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 3288	1764	rundll32.exe	72
PID 1764 wrote to memory of 3288	1764	rundll32.exe	72
PID 1764 wrote to memory of 3288	1764	rundll32.exe	72
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 1416 wrote to memory of 832	1416	firefox.exe	77
PID 832 wrote to memory of 1444	832	firefox.exe	78
PID 832 wrote to memory of 1444	832	firefox.exe	78
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79
PID 832 wrote to memory of 4808	832	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ramengine.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ramengine.dll,#1
  2⤵
  PID:3288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RedoUnpublish.3gp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.0.83207202\1892526676" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1660 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fada769f-bfa1-40cb-9736-a281f4345d3c} 832 "\\.\pipe\gecko-crash-server-pipe.832" 1764 1dc189f3f58 gpu
    3⤵
    PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.1.764906389\1042957058" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f8ce2e8-bcd8-4c39-b429-b301670829d7} 832 "\\.\pipe\gecko-crash-server-pipe.832" 2120 1dc1853b558 socket
    3⤵
    - Checks processor information in registry
    PID:4808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.2.720390491\1514022653" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91c48dd5-c2ce-42ac-9557-0e79dcbe4332} 832 "\\.\pipe\gecko-crash-server-pipe.832" 3100 1dc1c97c958 tab
    3⤵
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.3.918290438\376401393" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3440 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff7f290a-2454-469d-8df9-d7078c50052c} 832 "\\.\pipe\gecko-crash-server-pipe.832" 3460 1dc0d962b58 tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.4.1428118294\1513983205" -childID 3 -isForBrowser -prefsHandle 4192 -prefMapHandle 4188 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c14772f-0f05-49a1-ba46-be592a6b88c1} 832 "\\.\pipe\gecko-crash-server-pipe.832" 4224 1dc1e99e258 tab
    3⤵
    PID:1856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.7.1773928062\1809768728" -childID 6 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8af55f-36fa-48c2-b68d-c1f6da20dd1d} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5080 1dc1eead158 tab
    3⤵
    PID:3360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.6.1083098545\1015877297" -childID 5 -isForBrowser -prefsHandle 4756 -prefMapHandle 4804 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf0b71d9-b741-46f9-a980-babd2a293a3e} 832 "\\.\pipe\gecko-crash-server-pipe.832" 4188 1dc1eeace58 tab
    3⤵
    PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.5.85749465\1966282772" -childID 4 -isForBrowser -prefsHandle 4772 -prefMapHandle 4680 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c6ff0f6-c36d-432b-8865-bb84fe2535bd} 832 "\\.\pipe\gecko-crash-server-pipe.832" 4756 1dc1eead758 tab
    3⤵
    PID:4332

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RedoUnpublish.3gp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.0.876805705\1144502933" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1668 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3925c24-1ecb-4ba7-813c-242f45ebb4d2} 692 "\\.\pipe\gecko-crash-server-pipe.692" 1544 25596fc4f58 gpu
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.1.174465563\985552885" -parentBuildID 20221007134813 -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd97adae-a88d-41b1-8653-83d3dbc2af38} 692 "\\.\pipe\gecko-crash-server-pipe.692" 2116 25596b3e558 socket
    3⤵
    PID:2536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.2.1217866602\1900057016" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0494c556-5dea-4dc0-ac0a-823ffb3691e0} 692 "\\.\pipe\gecko-crash-server-pipe.692" 3048 2559b2ca558 tab
    3⤵
    PID:4604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.3.778392424\1484361915" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c491b516-d630-4148-afcc-457c672a8464} 692 "\\.\pipe\gecko-crash-server-pipe.692" 3484 25599a16658 tab
    3⤵
    PID:4540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.4.935030566\1528682730" -childID 3 -isForBrowser -prefsHandle 4224 -prefMapHandle 4220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2baa7c68-efcc-4381-ab99-dc6c29c97a69} 692 "\\.\pipe\gecko-crash-server-pipe.692" 4244 2559d014d58 tab
    3⤵
    PID:2556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.5.797633857\735128234" -childID 4 -isForBrowser -prefsHandle 4724 -prefMapHandle 4720 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70aebe9c-6730-47da-b3aa-36f4beeeb712} 692 "\\.\pipe\gecko-crash-server-pipe.692" 4736 2559c5e1858 tab
    3⤵
    PID:2716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.7.1051792665\1440077133" -childID 6 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f9bf9cf-76b9-42d6-b39d-afec453c1b4f} 692 "\\.\pipe\gecko-crash-server-pipe.692" 5048 2559d5ba258 tab
    3⤵
    PID:4624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.6.1317601073\278131390" -childID 5 -isForBrowser -prefsHandle 4868 -prefMapHandle 4872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74cd01f5-b47f-4fdf-b6c5-7e27ec1c90cf} 692 "\\.\pipe\gecko-crash-server-pipe.692" 4860 2559d5b8458 tab
    3⤵
    PID:4316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.8.1744983041\1275673510" -childID 7 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {497d9a15-32bb-44c9-b247-e1e524a52fe2} 692 "\\.\pipe\gecko-crash-server-pipe.692" 5656 2559e9d5658 tab
    3⤵
    PID:1164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.9.626572016\1761842571" -childID 8 -isForBrowser -prefsHandle 5812 -prefMapHandle 5816 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {535dd9c2-1d53-4ff1-adc1-62d933c64c59} 692 "\\.\pipe\gecko-crash-server-pipe.692" 5800 2559ec5aa58 tab
    3⤵
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.10.1630162334\1437426155" -parentBuildID 20221007134813 -prefsHandle 6092 -prefMapHandle 6096 -prefsLen 26247 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54f46d3c-ed24-40da-913e-1b77cb85a820} 692 "\\.\pipe\gecko-crash-server-pipe.692" 5868 2559ee06e58 rdd
    3⤵
    PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.11.725709874\1650853189" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6000 -prefMapHandle 5868 -prefsLen 26247 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5b79459-0953-4368-b7eb-f2751661c89a} 692 "\\.\pipe\gecko-crash-server-pipe.692" 5404 2559ee81958 utility
    3⤵
    PID:1828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="692.12.1094412315\1429437778" -childID 9 -isForBrowser -prefsHandle 6484 -prefMapHandle 6480 -prefsLen 26422 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdc46970-0e4c-4624-8e09-a2d876699b9e} 692 "\\.\pipe\gecko-crash-server-pipe.692" 6496 2559b8dd758 tab
    3⤵
    PID:5532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
51f4ba36f51af4245b591ccdd246e8a6

SHA1
9416c263f8cf79d53af6bf794190fddf59492d6f

SHA256
953315f59a48dc3268fc2a5a9b94c09f038f95ab4549f7cc9bc23731fcc87f38

SHA512
9a779667640b31aee75bc5fcf3dcf69ad21fda41aad94e10718ab98467a94c5adc6436ef187efd1a92d85179df95b692fa3f63c97cf3b31f3e3bba593e322028

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD

Filesize
13KB

MD5
6e43b519548bba01f2103fccdec673aa

SHA1
486275099234fa07c0bf17b973057e031e7ae4d8

SHA256
f9cb86e4947991ab2615c3560376c9418f7a9182a623abc84b08dc4dbed2f092

SHA512
8d548b1c65be5fa8efa726a1a07084a5d827e83fcf82abb63c0d438fc75c72237203853690b39dbc08c8c71989a387c046f674b6db89b40ae9e896deffdb54ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
9KB

MD5
1f897b21e324ca605f6b0a809b10ab08

SHA1
d828073aa06b97d933cc0bd25941ed83e187987f

SHA256
c873df8a40b8c99c7470927252ac627d70696fa34093e728e49214c3b1c3d5ec

SHA512
b13fb22b9328bcef6c845aa687b74e3d08e03a094a12704b97bafb1c568be9bb10e162b7063433c331b59b576eeb1dbacbc12b50d1a25fab58bff9bda3be0ce5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
3fde2c370e2190f811c42ef3edf6f109

SHA1
75d22d5520c76e9403517c068b4b79439feae3dc

SHA256
d150e9d64ea8018863a4f28e20e686ae6547fc19a0335a0a314c0641c28148b8

SHA512
d1b57757b69968bc3c9fc10daeaa3349264754ee23195b8ffa8f04d0e6f02c9b4e83f3b43ebc9b299e64313857b220bfb08acc6f836de3f0fb0e520e33994def

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\SiteSecurityServiceState.txt

Filesize
324B

MD5
0db1baa4234f5be65f7bfa3bbd36e8ad

SHA1
f026484796c382ce24710cf9d8c604cb47f88793

SHA256
550a1957c52b83ed80dbf57b94e9f7c5a454ff86a61f1032960dc6fbb69e4dd4

SHA512
c3deaa3d44fcb2ce6c0feaa99e4a4886e47395ba60fe6f8b309a4f78ca85eb3c7a8150343d0bb770030a0f47f8635ce3b7e5be66b8b35f6e750266252663a132

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin

Filesize
10KB

MD5
c520c870ee4cd45e112f43b62c63b075

SHA1
5a467af2bb46d4d154a2db6534e8c892efe11cbb

SHA256
61485dd0498940725e9a108ac665e397134d37a31237a4f9be32c5d4cad6f8f0

SHA512
ed6ce2c848c45535dabe6088f2ab8f752721a132aec89e0a592dbb350ecfad5f0ec1cda7e52cd6cae65d97a1a5872106828bf2b8c39b4bcf1a62e153f972fece

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
22f09d9447813561074c437c1537ef7d

SHA1
175b6d180826282937698dd9f79056ea6faf2f65

SHA256
ccebdba93e911cbff79fd166142b47d075a0dcff471a94bdd1258e6fb93d8733

SHA512
508184cae9be6c02e3d551ce700d730d87af1b291347b56b140121097e6d49b89f1ca30b2abd48bef3aa664c99e6c3bdeec979e54c6f71a931b4657ed099f337

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\589be560-0ba2-46e1-8073-4535f702b929

Filesize
734B

MD5
4491ccfdde0006dca04785bbd0c910a6

SHA1
0ecd761df9368f7ab3f0e9786968c8601f06fe4e

SHA256
e47058bbf2a8e478282f7c54c1bccf050e8867c503576bfe18a9ed185cbcf7a9

SHA512
2b7a676aa90547a156012cf1bcf5c6e8751905516a030e9f565136ed291bd2c9f86065b607e00c0006932504d51616abb34cc4dc44e26a7a92a7f98a496a4aab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\5da03bc6-8214-49a1-98bc-efca965d139f

Filesize
657B

MD5
80398c2145f94f3756c93d0a5a80c272

SHA1
e8dd9fee19b06eadce25930ab06d19dd65d20868

SHA256
9bbbf5b2bd3a84547bd58ed77b1c945fed3ec2ab9eebcae6eb4d1f012ad5127b

SHA512
7d7e75481e744d4e051c8c587c083aecab15c3435129c6d873be7bc79005ba464d7c8b38851ae2debb128671aef88843ed6d141eefbbc27154fa330c5ac0837e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js

Filesize
6KB

MD5
3288a51760e16092b613ed020059cee6

SHA1
8fa9084e1b931404ad86d4b0b1d767a0564f3dce

SHA256
03e5099f5adaac83d36c4991dc817da53b778402d0808c29b04d3694575f6fcf

SHA512
c9eba8b8b7477ad821d628ff658c5d97edd8dccdc46666d82ea53c6450a4d281af74cd756cb55096605fac047a4ecb87a897fc805f84aacb82a051df85f0a8a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js

Filesize
6KB

MD5
ef8dd5072042393945129079e0c88eb4

SHA1
d2387fa056aed42a5dfa31bcadea65e8d09b4e39

SHA256
5b018ee7df50271fbe929edb7ffbf490a8d9afc9a9241fae8dd6fbe7f1e85974

SHA512
b9514514512362122b61fec91bac80a452e6cda13c7212384f3e7020ed837909357d83099b061f3562a8575a536e32d9306734fdd33559fc357941ac32acb53a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs.js

Filesize
6KB

MD5
7071491bbbdd7a3faa491cba743c43b8

SHA1
598252254d67ba3815a91c1662d4a946a17e3533

SHA256
5d082de7aec3502dabcafd3584207966dd977e1c4dadca2aaa52a92d9dabbf5a

SHA512
4d6ed9c4d402b3bf7a8270e5ede0188203f5cdb655547eec80ce187d27b684addac33a71c296883b44e4d41f9baa5a04be86416a4aaeedf2ea9f74c57d205e80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\protections.sqlite

Filesize
64KB

MD5
49397db0486dc59d607907a086f40c9b

SHA1
08742ce9db9569062def08e99eea8470702feb7d

SHA256
890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

SHA512
fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionCheckpoints.json

Filesize
288B

MD5
6b77a9f779399e95d1cee931a2c8f8ff

SHA1
826efd4feb0d50fcce5696111af7c811b81adcd9

SHA256
3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3

SHA512
ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0aac62bacbe7e67fbda9ac095ce0c8bd

SHA1
acf7dfae6e1231e5bbf3fe5a358779b39431c2e2

SHA256
5d612322f9266eaaf315f4765df9dd77ccfd2c8d3cdaa8cc57fdb093299016e8

SHA512
9e942ac642048e132f21098faaca086a3943a707d9d127eda0f134239899714390434e3f208849d7634d0e71f6c056925df17167399c7b655b216facf5b6c9e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore.jsonlz4

Filesize
883B

MD5
9ce047d1ae69c8a7a63be82549b04059

SHA1
6dc348fa0a4a8c9fe6fb800a4b6e53343cc53ca9

SHA256
ec8dd9db6f0c9a80b815da16a0341195d14dc05ba17235e8d2d450d094b11e0b

SHA512
56d600c7f45c14ced3f7e0d29d1af77ad857af50bffeea9c6326bde07326d82d168a8e04638aa7db4c26cb162db39bbe95b099bd396f4d2f9fd4bc941b525c04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\default\https+++www.youtube.com\cache\morgue\88\{f3a86ebc-03d2-4c6e-8019-7668d1165a58}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\default\https+++www.youtube.com\idb\290029631PCe7r%sCi7s%teefnft1E.sqlite

Filesize
48KB

MD5
e7247e53b6bb3af654b5bca90da8aa38

SHA1
c492d3c6e258c2801005bac47c86219be407dc52

SHA256
032a08da2800188adc8d7f313aecd43dcf7c3e74f584f93d24fe1785b1333849

SHA512
f04f8343bbee035b05198104ff07dd5a9276ccfb481a9335be9d964aa5ad2e9cd5b2f1662ae636b8d0f4e75f605869497ed36669f83a13f1ba05173faa52af15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
af6ba3835edf8f024e6cb5bb582aa20e

SHA1
6bd67c1a150c9729dabf6f792c84486ffada4a20

SHA256
ab2fe1a904f0d22933453e154f08b09982de8f687358e414a66a00ce62d126fd

SHA512
a1057a20c4e46255b417df8b4bade525db9e27963f102d80342e9c2eeed69e3f3348892f8835905341d8cc8060211f03b71bd2d85a9d3fb24910dac446c2f259

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
bb3801c8bd1075de77f49618c1ae7287

SHA1
ccb40678bbdc73d34b94db585c4c100214702766

SHA256
08af67ec0f291ad5556e2372a0e1708630da567ba54d87defc67f3bce6036dba

SHA512
74272acf8a0cbe70ba38a37709b814b9c1ae963667a9c2bd7cd45e860c3c2b7ce477303e05876a87c4845fa03149c18550a537d3bded4c44561cbb9a38d4c271

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\xulstore.json

Filesize
120B

MD5
05e1ddb4298be4c948c3ae839859c3e9

SHA1
ea9195602eeed8d06644026809e07b3ad29335e5

SHA256
1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

SHA512
3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
504B

MD5
6a320314e722ced036114daf8e077201

SHA1
3d3a6a37f3c6836c65aa93ab2e1abcfcf4405ef6

SHA256
a155fd48274646664f573990392b666dd4dbb3ae89f9208e10ca5a0bfdf542fa

SHA512
97220c3b7fb21385f6f852e7950e103f4706f6d0d67ed08622edd83f14eeee8b6e7145650036545618fba4ea0be9cca723963dff3a39cb9f36c115d4808d8ec1

Download Submit
memory/3728-155-0x00007FFD94E10000-0x00007FFD950C4000-memory.dmp

Filesize
2.7MB

Download
memory/3728-153-0x00007FF62EB00000-0x00007FF62EBF8000-memory.dmp

Filesize
992KB

Download
memory/3728-154-0x00007FFD99D70000-0x00007FFD99DA4000-memory.dmp

Filesize
208KB

Download
memory/3728-157-0x00007FFD84890000-0x00007FFD8593B000-memory.dmp

Filesize
16.7MB

Download
memory/3728-156-0x00007FFD94A90000-0x00007FFD94BA2000-memory.dmp

Filesize
1.1MB

Download
memory/4604-13-0x00007FFD842D0000-0x00007FFD843E2000-memory.dmp

Filesize
1.1MB

Download
memory/4604-9-0x00007FF62EB00000-0x00007FF62EBF8000-memory.dmp

Filesize
992KB

Download
memory/4604-12-0x00007FFD84890000-0x00007FFD8593B000-memory.dmp

Filesize
16.7MB

Download
memory/4604-11-0x00007FFD94E10000-0x00007FFD950C4000-memory.dmp

Filesize
2.7MB

Download
memory/4604-10-0x00007FFD99D70000-0x00007FFD99DA4000-memory.dmp

Filesize
208KB

Download