ramnit | b9b4468bb0e38fc053e30e93fd63a93027b5339407fb24be2cfd15f4e6accd30

Resubmissions

08/09/2024, 13:22

240908-qmjx9azhng 10

08/09/2024, 13:18

240908-qj13cszgmd 10

Analysis

max time kernel
49s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe
Size

92KB
MD5

d4735c97976979e50b382c24f1f89103
SHA1

855af19bf14866556f0b8795e3bb6c90a93809c0
SHA256

b9b4468bb0e38fc053e30e93fd63a93027b5339407fb24be2cfd15f4e6accd30
SHA512

ef61aaabf22ab0562e5d7a36259a3d3089b78ab38e155cfff50471b247290ea5fd515180715365469041bcc4f995894cfc15e60c2a7ae249da5050cbb7458f2b
SSDEEP

1536:UVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApE:EnxwgxgfR/DVG7wBpE

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
5112	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3892-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3892-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3892-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3892-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3892-5-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3892-4-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3892-3-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5112-24-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5112-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5112-32-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5112-34-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5112-35-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px60AE.tmp	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	4532	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{75E9AF64-6DE5-11EF-84CD-EE255DF7DB21} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1249128913"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1249128913"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130098"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1247417579"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1247417579"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130098"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130098"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130098"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe
5112	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	WaterMark.exe
Token: SeDebugPrivilege	4916	firefox.exe
Token: SeDebugPrivilege	4916	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
632	iexplore.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
632	iexplore.exe
632	iexplore.exe
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE
4916	firefox.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3892	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe
5112	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 5112	3892	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe	85
PID 3892 wrote to memory of 5112	3892	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe	85
PID 3892 wrote to memory of 5112	3892	d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe	85
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 4532	5112	WaterMark.exe	86
PID 5112 wrote to memory of 632	5112	WaterMark.exe	92
PID 5112 wrote to memory of 632	5112	WaterMark.exe	92
PID 5112 wrote to memory of 316	5112	WaterMark.exe	93
PID 5112 wrote to memory of 316	5112	WaterMark.exe	93
PID 632 wrote to memory of 4540	632	iexplore.exe	94
PID 632 wrote to memory of 4540	632	iexplore.exe	94
PID 632 wrote to memory of 4540	632	iexplore.exe	94
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4720 wrote to memory of 4916	4720	firefox.exe	104
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105
PID 4916 wrote to memory of 4848	4916	firefox.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4735c97976979e50b382c24f1f89103_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 204
      4⤵
      Program crash
      PID:5040
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4540
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4532 -ip 4532
1⤵
PID:4564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8f272ee-7171-4472-bba6-c222a62164a0} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" gpu
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0907ea31-84df-414d-b437-e66d1d0c4c31} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" socket
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 2940 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff977f9d-06c1-4654-986c-712c8267a823} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
    3⤵
    PID:5080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3712 -prefMapHandle 3708 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd88f8e3-9af4-4751-81c1-ec4ad23094da} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
    3⤵
    PID:3600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4696 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9689389-105d-4b0d-8ad8-5f746d23d769} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" utility
    3⤵
    - Checks processor information in registry
    PID:5280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 3 -isForBrowser -prefsHandle 5440 -prefMapHandle 5436 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb5b0253-a2c2-4097-aefc-8ca686d8f9e3} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
    3⤵
    PID:5932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c4708ce-752a-4916-9755-fc1c79668952} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
    3⤵
    PID:5944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6258e9bf-9d4a-4b6b-99ee-230601f246fe} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
    3⤵
    PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
92KB

MD5
d4735c97976979e50b382c24f1f89103

SHA1
855af19bf14866556f0b8795e3bb6c90a93809c0

SHA256
b9b4468bb0e38fc053e30e93fd63a93027b5339407fb24be2cfd15f4e6accd30

SHA512
ef61aaabf22ab0562e5d7a36259a3d3089b78ab38e155cfff50471b247290ea5fd515180715365469041bcc4f995894cfc15e60c2a7ae249da5050cbb7458f2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7f9b88e0292691833018388229acfbfa

SHA1
50e3d82743913a3f81313549c45dab1ebc3bd69a

SHA256
2b930c9f3a0fff3fec9effa7f5d159d5b5c81465a1e23cf040cbcd6ab085b119

SHA512
e74cc60bceecdcbe66a67f62921daad7de864d20de476a3a18484b811ba97d1cafe702c2eacb6ba432119186db27f76ffc0fc692fd320d0c0228ec5d598c68a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d5100b2479e5fdf8f534610eb3441ee0

SHA1
2bf50a5cca757e156b9f76b99be935ee22ea8434

SHA256
ccec40056c400c40a10187a23fe0f55bb3cf1ad506f53b9aef8fbb62f4ee07ac

SHA512
ecbcf4647696cca71d2e55f22f21c8261e8d39378f00b9861c5a8976e397513e6cec19fef4be72fa87d9aa029320b655e2901bf7aa533d7ffaa783d9f7ab1e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE465.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

Filesize
42KB

MD5
b98de8ffa11d0fc20db07202a2b8abb9

SHA1
f9b5a798166314ae5300de08e5c88c07f3af7399

SHA256
f7a6ee6aff04a5c78f7f21334b708e8eeac0a500891cfda01ccb4c739e2576af

SHA512
4f8e93cb18eff9175ccee6b91bd1c7c056f28545e2e5984be218437bf30fee58582955c0e48005e266d50f7ed14f35534fb52c07416a04408051d74a417c174e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

Filesize
8KB

MD5
9c8755ae7ba254d674af63e54bf983ac

SHA1
cd7416d31397586edc61cf361f6a44dccf2308f7

SHA256
ec830ffccd8c707454125da420316b3df2de0cab39817d1ad6ed69812df27962

SHA512
8e9d74c191acc3709648b1abb968eed946164937d14434928ecb57068ce16dbf636a01116d130b8ec254ec1660507c05dbfbdbdbaa726446b9b6eb07b9ed2d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
9c04b2ccb0f87523a70f3d4b47810da9

SHA1
2a1a9f88b8164f787cd0c62f3fa4073cd9aeea92

SHA256
f0bf493226aaff2adff72ade22e3204a044309d8b661e14120bafa9bfa859ed0

SHA512
fc7f16b6f1f9c384f6c6007a539b8b21c8133538dbd6d9581436d1b8eb7ef54a0e38552352649bb56465ba1aa1e6b28340bf9e045332e2a7f97b74cbbec7a463

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a4742d714aea2e161fed4f70fe7cc71f

SHA1
b0d509d95de7c5621edaefc7ee2e1d0603ea98e4

SHA256
1c424626d8c760c0ad60543611ef5eec8e9c467b1d031a6ccd7bc7ffc9fd85b2

SHA512
7527906c914ca595126241e017cb95e1495d9bb4a310832a18e4f76d1ca11796b398f8d8894a31b7bd2d57559e4a7c295d4592c9d67d1b443d17f22d9210d3df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3fbc0843001e0cd83e755015a77e7a40

SHA1
22bb8d3e6c23a2680093a9ac254f944cd52e88e6

SHA256
d57f667ba6c1230ed839f2d1243670ce477d90be2997200bbf74e20877e76ab2

SHA512
04abb4c81fcb46a02a628f5cc18bd983e5d44e62cf519c1a87d5e2463148e9a393d8815187b2e6a3a3631f10c726820e6ed19b1ceb9d52850dd0801fb84280b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\0ed16e6f-decd-4646-99c8-0e899d6c536f

Filesize
26KB

MD5
b39ec4551d1589fdce8a820738009961

SHA1
6a4bb833ec6f247c26e56270c520d083f069d5e6

SHA256
8b49c445e98ba7273ec2c24be7eac854c5dfe492e46a2f705e5c29f7857b7fe6

SHA512
708f1945e532868cd4dd40a6602f4f94ebba608b83ce43a3de294ec366308cc9b2fe56395d49524d08d1c136db53ffd259228cd7f1f1e1c4f1d5bc8c8f2b36a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\e4dc15b9-6be2-433f-bd93-01946be27246

Filesize
671B

MD5
689683fe90666f35a42ca5db069839bd

SHA1
e0a06b4c9a9a56273428601159f261da2408c0a3

SHA256
bebd49707fa06598e1048d47918f6edacbdc3f50b970fb5abe1e43f6d61486e0

SHA512
7cd901a6e7dd429708758c19115eed1ac65340ca9c8c4818484b9ef90354a233bb071bbf93bc42a70d2f0f84e31c18472454312a5ccd2ac2bd202b82c0fdf8b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\fcf672ba-a311-4b48-a2b9-fd063faf1c12

Filesize
982B

MD5
11d35aa03eb3cfca12f25ef99e753a10

SHA1
fbd8cfd47c89d2051f20b0cc4628a2a17e301832

SHA256
7ce782b2552bac6485814e18e8c3e8d22f656a2b3e8c073cdc49777cf0f199b7

SHA512
d7e4f919f93ea8fc621d150d640995cf13de599e4d0b7bdb6fd4656f9a39e6aa8324bd95fd8e235416253609f1f8eec02c8c7b7102bf1c1c190e7f164ea37f76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
12KB

MD5
bd3f76246eecb704f533abb9fd435b18

SHA1
2445acf774d098d9bf89847c13d8475277292171

SHA256
21629642c07062984dd7097715cf41aaa2e8990d0b6876ec6725b2193c604711

SHA512
b08e2272c11b0562bff417ad97cb0afb93741869238517b38bcc1e6fff8a8383b7b3f85fb79935708b029831230943826edca8faa4d4dd6bdf741b2d171fce49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

Filesize
11KB

MD5
89565d3ab4f0f92afa7b72a2a8c4aebb

SHA1
ddb6b1315225de9634091108cfa2a8696c8a6bfe

SHA256
1833a11190628bae0f85a1c3db5f63a1445b8b5320d21b16094ee8e6747c2878

SHA512
c19cb2916fa7ed7649e1fc9b4d90190a6d1eeb52177925030d0e56aa79d6a8273c97a10bfc6c8eeff7d77b465b80d9af778a672c9006dc76392bac0450895922

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

Filesize
11KB

MD5
d7fa5a78f48e9511175e9bf5a61de597

SHA1
ae18bb5ff71ac3f9d53a6af7423e6a455d348687

SHA256
85547e7ce6752985adc4e321289203cb8738356b3b9c6c4f928764495d7a6d2a

SHA512
8cb2086844da5e6be2e9bb22ed020b24542fa7d8234a95ebaff5c32d27f69b65a91c0096e5af8a8c44a71ad2f979249dd6085e82527acb01684bcb4d3f6fd02b

Download Submit
memory/3892-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3892-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3892-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3892-2-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3892-8-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/3892-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3892-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3892-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3892-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3892-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3892-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3892-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4532-30-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/4532-29-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/5112-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5112-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5112-27-0x0000000077122000-0x0000000077123000-memory.dmp

Filesize
4KB

Download
memory/5112-26-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/5112-33-0x0000000077122000-0x0000000077123000-memory.dmp

Filesize
4KB

Download
memory/5112-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5112-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5112-31-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5112-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download