024288440c2d9d32ae9f60e834a4d04e82618b470f09603f9cd539e184211d41

Analysis

max time kernel
207s
max time network
210s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NinjaRipper2.exe
Size

16.4MB
MD5

427df19364659e8c7a66689741707d87
SHA1

ed8c14a573de8a4b07f9579a081b6b043af14c48
SHA256

024288440c2d9d32ae9f60e834a4d04e82618b470f09603f9cd539e184211d41
SHA512

61be030e598e5cfeac9aa9b8a4ad3bada11f8311c939d2c0f1241a99a05624fa35350668d3ea727f2069072d7401485528c86ca68b8ceaa71482366d4b0d131b
SSDEEP

196608:vkP0DgYJwqFWnPv80yKEOsYNC9J7eqnqD32OvYLExXGgRJLRZ9ugbsZvokz19T3P:yIhHEn38ODNaDnk2O0mXlug/k513jaHo

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1820	FiveM.exe
2572	CitizenFX.exe.new
576	FiveM.exe

Loads dropped DLL 2 IoCs

pid	Process
924	firefox.exe
1820	FiveM.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\FiveM.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeDebugPrivilege	1440	taskmgr.exe
Token: SeDebugPrivilege	924	firefox.exe
Token: SeDebugPrivilege	924	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe
924	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2964	1656	chrome.exe	29
PID 1656 wrote to memory of 2964	1656	chrome.exe	29
PID 1656 wrote to memory of 2964	1656	chrome.exe	29
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2492	1656	chrome.exe	31
PID 1656 wrote to memory of 2460	1656	chrome.exe	32
PID 1656 wrote to memory of 2460	1656	chrome.exe	32
PID 1656 wrote to memory of 2460	1656	chrome.exe	32
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33
PID 1656 wrote to memory of 2528	1656	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NinjaRipper2.exe
"C:\Users\Admin\AppData\Local\Temp\NinjaRipper2.exe"
1⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b39758,0x7fef6b39768,0x7fef6b39778
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:2
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2192 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2200 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2808 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:2
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1472 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3404 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3400 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 --field-trial-handle=1260,i,1834371039387897592,14145166250204297649,131072 /prefetch:8
  2⤵
  PID:1060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2556

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2256
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.0.367199382\1374728063" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {544f6866-afd4-47d3-90f7-5b47402ebb55} 924 "\\.\pipe\gecko-crash-server-pipe.924" 1296 122f3458 gpu
    3⤵
    PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.1.436672773\92231266" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52042d4e-9be2-473f-8f5d-ed7535e30714} 924 "\\.\pipe\gecko-crash-server-pipe.924" 1492 f72858 socket
    3⤵
    PID:2032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.2.2008242685\2002438098" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43c7af0d-2f79-4882-9684-71a57e696258} 924 "\\.\pipe\gecko-crash-server-pipe.924" 2128 1a089158 tab
    3⤵
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.3.273578080\1264283371" -childID 2 -isForBrowser -prefsHandle 2536 -prefMapHandle 2524 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7d14174-b09c-4137-a96c-ae67eb88f0bf} 924 "\\.\pipe\gecko-crash-server-pipe.924" 2532 1bb1b258 tab
    3⤵
    PID:1272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.4.1050517681\1068848896" -childID 3 -isForBrowser -prefsHandle 2836 -prefMapHandle 2844 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e6c61b3-75de-4c4c-847d-96f14426bfe1} 924 "\\.\pipe\gecko-crash-server-pipe.924" 2928 f62258 tab
    3⤵
    PID:972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.5.344119937\358375176" -childID 4 -isForBrowser -prefsHandle 3724 -prefMapHandle 3688 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a0fba9f-38d6-42a3-9c4a-9b6c862023ae} 924 "\\.\pipe\gecko-crash-server-pipe.924" 3736 1e623d58 tab
    3⤵
    PID:576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.6.1489030071\1816917884" -childID 5 -isForBrowser -prefsHandle 3840 -prefMapHandle 3844 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {578cf316-3a98-4970-b4ed-0cdfd032204e} 924 "\\.\pipe\gecko-crash-server-pipe.924" 3828 1e622258 tab
    3⤵
    PID:868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.7.280494249\610273412" -childID 6 -isForBrowser -prefsHandle 4008 -prefMapHandle 4012 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4564e52d-920b-48bc-867c-bc7dd96757f6} 924 "\\.\pipe\gecko-crash-server-pipe.924" 3996 1e624658 tab
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.8.2064819671\1281320321" -childID 7 -isForBrowser -prefsHandle 4328 -prefMapHandle 4324 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67c43cfc-327f-4aba-9c86-a922408d2764} 924 "\\.\pipe\gecko-crash-server-pipe.924" 4340 21cb5e58 tab
    3⤵
    PID:2648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="924.9.871040446\1536493967" -childID 8 -isForBrowser -prefsHandle 3740 -prefMapHandle 4512 -prefsLen 26691 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16e3eb3c-5825-4c46-94e0-611260fabcc8} 924 "\\.\pipe\gecko-crash-server-pipe.924" 3732 1e5bff58 tab
    3⤵
    PID:1504
- - C:\Users\Admin\Downloads\FiveM.exe
    "C:\Users\Admin\Downloads\FiveM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1820
  - - C:\Users\Admin\Downloads\CitizenFX.exe.new
      CitizenFX.exe.new -bootstrap "C:\Users\Admin\Downloads\FiveM.exe"
      4⤵
      Executes dropped EXE
      PID:2572
- - C:\Users\Admin\Downloads\FiveM.exe
    "C:\Users\Admin\Downloads\FiveM.exe"
    3⤵
    - Executes dropped EXE
    PID:576
  - - C:\Users\Admin\Downloads\CitizenFX.exe.new
      CitizenFX.exe.new -bootstrap "C:\Users\Admin\Downloads\FiveM.exe"
      4⤵
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\448e058d-5c78-4319-ae20-4719fbe1d53a.tmp

Filesize
268KB

MD5
19bb06fcdc4011325d3ca2fe68190f00

SHA1
7fd3ad46dafb21e029712555b83bd11e6808f742

SHA256
405e1f815a82e47cc670000cc01e8ea9ea3507c8617c2bf13eb2ddc47c9020cb

SHA512
358de7c3e89888839459a7ace20f1adf8e9b4deecdd931a90923715e64f87167221aad1db6a60e484da225c2bd78cc67f822ce8196a7f0d58e16a25b982d5eef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6c2c726af015b1ca003252eccb17036b

SHA1
d93dda8ab54e30ecdcc8abfd07371e37442783ec

SHA256
0c6eb0037e6e8e42771042d2a8b12bc231e21ea437b05c98fdf35e32c05dbe15

SHA512
b6913f59f88762663ee8ebc43ad2ce97e7aa7baceb71d5800d1e75c82c1de53506ac815fbf33b82d57c1bf61c10b68d1c0c0d5088e2aa7d6bae29a47e2287316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
268KB

MD5
442a3d6096a4d2642a9cda0f76b2e4b2

SHA1
53d04cde343495eca31ec4d5b2bd8678946d32d0

SHA256
646d0bad00a3234beb9c2911982703c2cef1eff0ffc33175b8f7f1803f4584fd

SHA512
0e1a5e0fc2c38bdb8c474d25ceac09f2a5d465c94c421c341ae75da47ceae524906f7b74d730fb4984b71944e0a37867c0a0d0cddaeffd2fbbf4f4193c3c0475

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xkoyglns.default-release\cache2\doomed\15073

Filesize
9KB

MD5
a645fa890d2bf9164224e409a0f2b989

SHA1
00255fe2c9e2f67a8c6b91ccd46756cfa47e9c02

SHA256
d62689b12ba6ccf0b7054d78366a6c7e2be2ab6670db7a61855af9f2f018881c

SHA512
977410bf146fec6772e335c4b583eed742df4ce04a43fbbb1f6b3c3da04f517114515288a8ed8c6261e1f0edc411f4414a85d0b9ef9e28bb6e2693cde16b5f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEE18.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0d22c39b76eda767c725d50049c8fd56

SHA1
efc16a3992d6e15885ba1e42cd3a7a06fa35a40f

SHA256
0d8cfdf329b40a75682eb0ed3ef3b82d6786b7ded4b0a03cd224aa17bbe5cfbd

SHA512
13cef251f53fedf06a026b1e69eb020bc49e9c2742bdc85f4398e139743aedf41a9b5b02fcc53a8ce098106a9e28387f469ec0fb62769035e53b17bb884c37b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e94e024fd134e0b4a19ab59181bdf408

SHA1
dacdea7de084b5cd9131baf3d39074b6818d79ca

SHA256
14027f601df5bb1e320ef2a6a28c48c5e6401aa44daf96c8b5e050e365407cd1

SHA512
d653e8e75b4d89c61d28ff4f3e980775b5b43f6eca4d831a921dce191e1405ecd055cea5bffd257f493b83f133309b5dbd07f5aaaab9a700928b8567c5e26f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\449bef9b-bf22-40db-ad2b-5144385c55c4

Filesize
11KB

MD5
ac66762a149106c2bffc1545091254b9

SHA1
9a9c003a553cb846ef3da52453d3d9500eecdcc1

SHA256
ad2f86c78fe79118321e9f196424ed367775f4fa973dd6c7381dcb30c6486a70

SHA512
6ca850ee5672227d5896dd4c57c0172850bb4c96bb547282ea64dfed7e5c51cbcfa436009e7e2929e90af317bd4d9ff11eea56806d7898dc65145c230854fbdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\dcba1fbf-f977-435f-a748-521bf4fc8357

Filesize
745B

MD5
76cb54138a3092263e06164f97335920

SHA1
402479095a5a8ce81fa5f7b084afb0d78da460f9

SHA256
ccf3150b330e47cba8d6f09e8cf2f818c7d44ee362cba48e9ac9a881fa23ce36

SHA512
46b504e5b1226e86ad80a775eaa208538e7ad5d5df29b339b212d0e450d7c32b40d54c416daa5845596bb676083274ef10ab6d1e2723c55caa78d938f81c8108

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs-1.js

Filesize
6KB

MD5
9ea5a710f151e6f3619023fde2ba34fe

SHA1
8ed934797ca7ca7b91608d9a9d459370a2672ff1

SHA256
f5562e6c58d377f95007be5ade32b9ba5b569f16334f422307f2d68fc51864a4

SHA512
2d87b29c3447914ae9f767d41b4ce15df4237230bb357438232e863825cd71817f5ce0961576b2697c863186b8425559dcce6c79be2ebc5d10ea2799fb5d6286

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs-1.js

Filesize
6KB

MD5
bb8f944b24ba7328c2a6980ef820c0d3

SHA1
28d9dc6631f797a302b4574782c4701f79ca9f51

SHA256
e42b454f42b73d81dc0fb382457a6eea9e5d9b8cbfc8e5800dae61eb707ba9d5

SHA512
84651c816f2b914ba9355786e153745e8303c0f486313c0db5937102a19407532e91e98878e1ab9f68a96208538374c8507cb4a87385111293b6b59ed686532f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
94f82cf0a63a45bcf834ce70655c8587

SHA1
2b0921ef7b1292371ec4fbcbc8e2ec2d1b5eaac5

SHA256
4e0863a17263e3eefa91670c40ad10588a4fd0f206b850b7cbf7a06526263177

SHA512
387c7e07fb2649ae0eb2547db2810fc994640ded9ab9831bbef4de38d0418d14c45d2038243e89ea35913d28594c12086f0440a48e0aedb69ac381f0e746b64e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
dfd5f1a723a8f203980e3ba876c191eb

SHA1
652d357fd8771029cf0d41dcb5eadb373081930c

SHA256
e4d5f85134307a7f9e93899ae09d763a26a001c40d604cbe3d486151e1084b4e

SHA512
d1a8c974d26cb2e718f9d4dcb6e8a7a4ed98ec22fae5e3c4e21db193f7aea4d86b0af68e4385108ed5ef534b04177e8b5d2e9c065b9039217ce3f0f7bdfdc9bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
99ae0704b64c5e5c1dcb75acb65c7e48

SHA1
1806338753bace17305b8d01034cc412a81bbd2a

SHA256
c1acda31855caf4383794c3fd61e16553d6bfca5bc7d4944def6fa79ba354aad

SHA512
dad56c16555aa67c6eade0ce082fa81867e26543d46a50743087a28aa5d6a3c193ef435d49f162aea8e3c18ae75425e121d904afb7d0fdb9856567829850644e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
507003208a2c1c8c0826a3fe7ead4cc6

SHA1
9ed1db2d75899e48324a6fd4cc11b8e70489a31f

SHA256
c1d98186542bbea96af0b1d11ef0a8f3ffef3ab94a92fe4e88e82b0005b2d4d5

SHA512
200a8815448b8ca181a442ca0bac03047fd221dc2c0dd802ac220e9dc4468159578b7dd3580640b5f537240c3236629bec71ed6f814a0304afa283773eca0f86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
93a221c7ba42cfe571fa3597514c2f57

SHA1
4bfd764e42b3461572df7e2f0d0c784a04433d01

SHA256
ba8846cecd7aba19ca1cb5ad9603b6651d8c83264d424fd0ac236d1f44e8dd28

SHA512
3e2ed80d0e94f20695f53f54deeadf6127dafc51367f604044b00c104b4d5c066f90992acca6c7f3f0121a95e72332d45038603552ccb2d9224def786f548d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
37086af92332c37b867a61b8c328ea56

SHA1
0239296391407be12f29eb53077e9ca63d1ab5b1

SHA256
9b718805e16827410c1c496b6a7bc0b13fbd7843e98fd8f5ea95a58d2af6741b

SHA512
e75a5f3bb4e7743c2245c08b723b4398a51b86d6e0c727672dd998f834d28350b2ffa14f7d6cf975456a28e54d56c41c0d5b1848b86c82350e6aa258a930b518

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
4320ce7420f98292514c38a19219b6ee

SHA1
dce25fcf96e260817b1ea364e92ccb44142bb95e

SHA256
9db1021823085cf69ee2fb20abadba274fa02c7cb5f26fef76579e3c55161b8b

SHA512
7396cc3f5e48b72c5dd93837e8abed8fd9ee705b3dabb00abf18670d119a8e781273468985af54f34a1bf9c77c2bceee14388d5fa7a793618e5100b0a34c33ef

Download Submit
C:\Users\Admin\Downloads\FiveM.huhJtK8b.exe.part

Filesize
18KB

MD5
2b635f75df182f6d81c014ea5f51367b

SHA1
0a93235dd3ce70815aa79ff3fdbbdbea8d41239e

SHA256
0b716a77ac793d16fc8a9d2e9be41ccf18d66fe7885d7fd45f957d9e4865cffb

SHA512
094181ca6d63debec2e1ae8c17c38348faf50e902aa7774ec89020aa28a262c580b91485b5df0387083d48423c57b22655015a8d49715131c562dc9b88b99ea8

Download Submit
\Users\Admin\Downloads\CitizenFX.exe.new

Filesize
5.0MB

MD5
40656179a85e1a011020bfcbdf826eb8

SHA1
d791c47ef3ac9f244adeee6ae0344d9ea58bf7eb

SHA256
22da7642439c3fa50955ff47f0b9d9b6d9d5333d0cdde5b7729fe1a0248caf5a

SHA512
9ec603dcdf49919d495d67346b3b0a42bbf956f43b2090286c35e1eb714bcdb72d246c42840f697eeed3e53045ef27b9273d43aa1195319456051f36527cb58c

Download Submit
\Users\Admin\Downloads\FiveM.exe

Filesize
5.0MB

MD5
e8c3fd1b35507fa301fac9367f28757f

SHA1
fd03919c9370248a62c9d540f6cd9fbeccac09f6

SHA256
05a99a0067ddde35a8b6c92721fc8ee058ffe1cee9a9dceb2bafb1a8e2d92368

SHA512
7f4f60aa0978a5f3f49cac744c11b6fe410cf32ec8dcd83fd6ad2120e9830b242b6f6a758c03ca76e8ffa800dbfec1b92f759c176f829f94492ed81e65befcdd

Download Submit
memory/1440-173-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1440-174-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1440-172-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1440-171-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download