92f4be23fd098350031cbe2f661f90c7377d691eec91808636d415b9741b029a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NitroxLauncher.exe
Size

3.5MB
MD5

e801cd1a9af46b219768d79f7d2a2b98
SHA1

a2e939298aec1770b0079284b5bc275ba9cee517
SHA256

9c34793ccd4cde1297ed243858b6411305201b95e86d1e99cf493a9a51b88e5c
SHA512

48dee9078223881716bd1360881233b6a99df3c1f6063fe69784e77243ce55e988fea1365184de69b4f1724cd59ac02d6e8deaf7fbf00eae82301122c09e71ee
SSDEEP

98304:fUqYeHg1UsnKLycqQYcDcwuavRfFujF0NpIl:LU18yArhvRfFujaNOl

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
680	chrome.exe
680	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	NitroxLauncher.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeDebugPrivilege	908	firefox.exe
Token: SeDebugPrivilege	908	firefox.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
908	firefox.exe
908	firefox.exe
908	firefox.exe
908	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
908	firefox.exe
908	firefox.exe
908	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 3056	776	NitroxLauncher.exe	31
PID 776 wrote to memory of 3056	776	NitroxLauncher.exe	31
PID 776 wrote to memory of 3056	776	NitroxLauncher.exe	31
PID 680 wrote to memory of 340	680	chrome.exe	34
PID 680 wrote to memory of 340	680	chrome.exe	34
PID 680 wrote to memory of 340	680	chrome.exe	34
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 1788	680	chrome.exe	36
PID 680 wrote to memory of 2464	680	chrome.exe	37
PID 680 wrote to memory of 2464	680	chrome.exe	37
PID 680 wrote to memory of 2464	680	chrome.exe	37
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38
PID 680 wrote to memory of 1740	680	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NitroxLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\NitroxLauncher.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\NitroxServer-Subnautica.exe
  "C:\Users\Admin\AppData\Local\Temp\NitroxServer-Subnautica.exe"
  2⤵
  PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feebcc9758,0x7feebcc9768,0x7feebcc9778
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:2
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:2
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3200 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3004
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140017688,0x140017698,0x1400176a8
    3⤵
    PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3504 --field-trial-handle=1296,i,1960880291259046384,15261157191015388977,131072 /prefetch:1
  2⤵
  PID:3008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2840
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.0.1860117121\1737320308" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89aa25de-d9ee-4bd1-a396-a961b2dac242} 908 "\\.\pipe\gecko-crash-server-pipe.908" 1268 102f7758 gpu
    3⤵
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.1.555468878\601603118" -parentBuildID 20221007134813 -prefsHandle 1444 -prefMapHandle 1440 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7120dc4b-c0c0-480c-b25c-c184f596fb12} 908 "\\.\pipe\gecko-crash-server-pipe.908" 1472 e71c58 socket
    3⤵
    PID:2940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.2.1367000746\1200189463" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21031 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f328fe80-ae77-40de-b1f0-712818d61690} 908 "\\.\pipe\gecko-crash-server-pipe.908" 2100 1a18f758 tab
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.3.1359160480\1283101187" -childID 2 -isForBrowser -prefsHandle 564 -prefMapHandle 1616 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {388067b9-59c6-4a40-9871-021b49af93f0} 908 "\\.\pipe\gecko-crash-server-pipe.908" 644 e70758 tab
    3⤵
    PID:844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.4.696162397\672616635" -childID 3 -isForBrowser -prefsHandle 2644 -prefMapHandle 2640 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d95479a0-de6a-4a01-afbd-318dd015ddec} 908 "\\.\pipe\gecko-crash-server-pipe.908" 2656 e61f58 tab
    3⤵
    PID:2576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.5.1134938897\84318877" -childID 4 -isForBrowser -prefsHandle 3768 -prefMapHandle 3844 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8ff261e-8082-4436-aea3-f50204e5b01b} 908 "\\.\pipe\gecko-crash-server-pipe.908" 3856 1e0b7958 tab
    3⤵
    PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.6.1930496718\327158232" -childID 5 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7edc70a-9fc8-419a-95ac-f84793a203cb} 908 "\\.\pipe\gecko-crash-server-pipe.908" 3952 1fc70958 tab
    3⤵
    PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.7.989652097\1423668146" -childID 6 -isForBrowser -prefsHandle 4144 -prefMapHandle 4148 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14ff34eb-d721-4d20-870b-4ba172ef8540} 908 "\\.\pipe\gecko-crash-server-pipe.908" 4132 1fc71558 tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.8.149405633\1926259899" -childID 7 -isForBrowser -prefsHandle 4444 -prefMapHandle 4440 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55b2b17c-bac3-4563-a432-6c20c205ec09} 908 "\\.\pipe\gecko-crash-server-pipe.908" 4456 224fa458 tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.9.964016905\603795467" -childID 8 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aa7f4f3-8a00-4f89-82ad-124f15128bea} 908 "\\.\pipe\gecko-crash-server-pipe.908" 3860 17ed8858 tab
    3⤵
    PID:3192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.10.548927073\1890684259" -childID 9 -isForBrowser -prefsHandle 8284 -prefMapHandle 8280 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7f1786e-21bd-428e-af93-35281a5d8d20} 908 "\\.\pipe\gecko-crash-server-pipe.908" 8268 1f719058 tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="908.11.1865351065\1940662982" -childID 10 -isForBrowser -prefsHandle 4244 -prefMapHandle 4232 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {264cc4a8-de4b-419a-89f1-e6509262aabb} 908 "\\.\pipe\gecko-crash-server-pipe.908" 4228 1bba7758 tab
    3⤵
    PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\42640236-3f8c-4d21-afaa-2c6a99d160b5.tmp

Filesize
311KB

MD5
1f7f30130d6ee4842105309e5504f8c9

SHA1
ec33cf3c22d5cd4a179e3cd5bbc08801c98cb9a3

SHA256
0fbf3e6f612fed3fe6ca93d9978c35a3d9783d4fde1edaf5c688ea1522f6036f

SHA512
8311cda4564216fb7d76a5c2d5ac11db4b2f8177f1a3834e507d0ae25da7d4a74d724b760412cb335374c1dae871989092c547805b2b90a81f29e6be9c2244e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
a7fdc828e67161ae2455bc1e55fcc433

SHA1
eb531b7b33e069fd72032981f77376ee310f95c5

SHA256
b5925d29086dc4ed7fab9434bd5e9f0e1b9089cbaef23c756209fbef94ccdb44

SHA512
f5766162208011ba8815125243f3ce8becd89756c96729163812b30d600d570d6ff3622a451d3375f1aae9fe990ddbed45f6bb9564f0766026852d4301076be0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
08a7a1951b98a66a5b5bba04d3d985a3

SHA1
d6f643d83671799f2f8320f8b0464f8a1c185855

SHA256
27a57a065c1c728e811ed012cc73d26526b1a75fdac14b784145819410e05662

SHA512
2dc0240508be5181a7a802d865e5a242276c71344e5e821fee3333e35cfbcd7281645255a787de504c9743ae82c087c88a71c78ca3a7611bd98e9c30825e3afc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
74587028313fd7fcb49ef92419bcbc89

SHA1
fc052f6f4dd4c3631721b9e802bb9103a163ecaa

SHA256
0e249fe7f2357f750071dd7335d68aeab3270859a2e0ab59199f454570b16996

SHA512
a8501e0c5bffc8324fc262cfaee049463f4391a60cac1408c328f7458d6dd89f2990992c9d24e4c1842e659215afdba617f2fc4960da1818702217aa34af8d0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
fb124592afb2a30947e554e0bd7ca8cc

SHA1
e29ca6ba4ee503e20ac772bdbd92f09457e7947c

SHA256
d0dae5c3bf2a937572d01e71686a8844da7d6063c0fe9a42d60baff805bc7ab9

SHA512
31495c1bd6ceaad35c5491c6f24589553308b8f9560f0905dcd1fd66fc0c4d9b3851f1c04497059b60cf3633fe96608ac7f31f996f775846b0fc64d5647a589d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\doomed\21987

Filesize
9KB

MD5
4164f245d928e3abeb84345486318217

SHA1
c344c7d12f887f8d4467a602c8ad49cefdb40a94

SHA256
56e8b02609b64c3ab765628c9043dc80618747f92cd4608b90f4f2e489f5c684

SHA512
ad2295f45714e91f87c25d09a56a85f7c2ab0d9efa8029b2ae8cf10cdf38e668c0216bc0307d5dfc1c612a5ab7b0b6ce08b81b08959294f48977d266a79f0fa1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\doomed\2291

Filesize
8KB

MD5
214f8416534c1fbe175e4969c850637c

SHA1
af74d224186b2a31e77e348073fef10eea771803

SHA256
b121c71a3526c4f9c6bb83da47312714160a8a2c143b4d03c9295841d4496f86

SHA512
1a8c9b786a31f8b275de6cc37c0975b31075596722b7e7bf71a95627477c9a30a71bd2a901aba8293389e705dc69dd4775743480e6ce7da8068f77ed16847a59

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\doomed\30335

Filesize
21KB

MD5
015fc798dd2d66f15e5ba88b580f9ad3

SHA1
4c6f970be5fb9451528c2f43049509f1b297b55f

SHA256
1ff8982ba51ba988894160d8c81b12af623fce6bee7e37b6c7c525bfca46c2d6

SHA512
a6e845adf848c291bc82040b859cb34ae4a14c466eb72cfe281ee3f3ccc9060e7f2549ba9a47a687e4f167e4d814c7ded711d02935e40556c5eb60f25c48de64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\8709E8A0A3A140D3BA059C3A07420EF01DA5FB25

Filesize
32KB

MD5
90e7d4429b98e9515b1f10d498006cc9

SHA1
aee437c7e0c8bc8f63a87eb479f237157a7ee7b4

SHA256
2810ec9e3909b2a1c2fc323bc3adad7e0c9bdc137b36ebb5af13141c97161173

SHA512
8f313203393453e2b0ec6a581986d381e09ec0cfe724ca90650eb08fc161e61fab9d11cfd4e5c8f1532dd98fc21547a8aa4029258f7d7359c24ded065847ae30

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\8D430DB6BAA689C36466ECFF2DC386452AE3B155

Filesize
417KB

MD5
8a170a0a74552b3066f7511e778f3de3

SHA1
c6ab30832ae870e4ff2f877920cb96bad66349db

SHA256
8218b8b76ddd0f84a6dd95cda9c76f32f3b1ed5bf41f84875907ee3e41106c6d

SHA512
9812460a8d1bd269563f98cb0dadf1dc55e08882f359a53852dd8e014cb077b4369456bf401e726321f543607d07771727c55f78c44ca13a9c3550211a9da124

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
33795c2ced928b5585d6189975536764

SHA1
fb80a8287f7b73ed95b969bd5d72e9dfa506c73c

SHA256
017b4b7d572f304becfce8c0e47f950f6ffe422225efa2cdab4b9958e76c32b0

SHA512
d58ceac161e5ef5760d36346ac32905d7690e8e5ee78807f2437ec04f6076b0caff2f331b8add721c1ba38ccbeedd0bde6e995a82463cf5780ab08590fd1f361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
8426ca9461dec8282f42025dc78bc198

SHA1
b033503d471229e1630c7ccb12faa8c0a6fb8e06

SHA256
c97322bd0262e9ef269426e14256dd364bfaaae554abf8ab511b38a992fbd26a

SHA512
fc284e3e60e0a146ffd22ce033fce2fa934a1bf9c9a64ff3695811d29685cbda8bdb68e3e1d6a03973c1f08057d2f4ec9d0d9741eef7648becdeecec69bec042

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\39e8464e-360a-4c0c-89f7-b6f8f32bff61

Filesize
745B

MD5
4815e212264100e69074e23d08e643a9

SHA1
50d1db272ede8292fb7f5da85aaa79b3b311c528

SHA256
6b76fd96b700c1439d157b6acb63dcecc03b0e4d1aee6d9109041d71eb5a680b

SHA512
ebabae7c01a2d73a72474530eb47412561f0a9f69c71bb55c77c4ac42063ba7f4a232995553ea6ce7034571b10d335e7d209e74e66da10fa0e10560b7ea971c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\a20c165f-0d59-4222-9700-336ae8d80ceb

Filesize
13KB

MD5
1be54727c1957429a7737b34e8dcbe63

SHA1
49fcf3e593876c28d009b9f43379a15c180d736c

SHA256
24d83027d3482ac89d9a74a0f67479427f142cea25bffd4cdc2d4dfbf17e368e

SHA512
e364230bb284e3069a118c3308af9819cb0cb5cfea6008bc8edfca0474885178048ead2cf9b6c60cb4ff3d9493f87856ca78c7480f4716cb89473e73d23ee4ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
f8012eb11a0935b58d402b192b90e928

SHA1
fbfc243067da41edf13c36ae65f0e2bb8d40e84b

SHA256
82bae9268b33650580cb3ca35015a2c401a433892c8edb02cb0261224f6d147b

SHA512
df789612c7c6914df9bc4075ea985ac39015ffe0e9b6fba86c0201927601171a22e32ad1e84cb88e9f5288eb060ac95e95899e58dce8010afb8f15e427bef36c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
c409e5a6757f391666a8daf6852b125e

SHA1
1c6fe1e8bdbbf88109a5057e23a7e0d53e1632b9

SHA256
04a25e059053a868ef8ab6366e34d77248126de235a0186c4eb4cc8d3d5e5946

SHA512
4d95b48c17c6007325db607d48040955ebc4f4e7c4c3a87d674a508a794fdc43c0ec7fbd1834b7429e13ebf1e1a2e6f7e6d1c72bcb619e002a94fc4a8e40e2e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c946246aa71d3e7734f260607a6da180

SHA1
4548fece3ba13ebf3fbfad6e1edf517165310041

SHA256
023ccf5321513c3e55afdd093b06c201bdd6cced0198d396f6b8e8a4cf92d0e8

SHA512
bf7303c2e854bcaca797ae04dbf655b0301e5dd31f0c1456d6654df802b92a67c3f0285f6a5b7991a0ede1f4d5c46681e5e2176880b950da7ac2c454b1bb3c61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
69fe4a6f4ba3f9188b5cf5204e729b19

SHA1
e1dcbef30e125ad92cb1b1da6a26b38c84247a1b

SHA256
32ed57b377af55b6397aae96406650f3cf4b323d674b18b70dccd88b82e2f50d

SHA512
b735bde2d0e911031a114276784b5ae03eec66456766722c378bc1d09dd177673cf862ae8ff3ee8ea187ae2c471db04b6925bc747d2ac0e6a8d440f37737f802

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
95eca7c29aa245f344bc717cb53a6681

SHA1
784049be905efa373b6eaaa97809b42c7387deaf

SHA256
e95562eed50d5d78d7a181efb503c19007d393d61792ebdf15e7a03907b5e58c

SHA512
6bfbb25248135178219621ce702e809a027ad2b7a786f635aa17f4da2b148f7b66414fdf22cdf5002321f672a20125fd2e85f60702da3c760177857cdbad5d27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0e0dcd21227cbfabc3bcabb0199f4563

SHA1
5ccd710ea9ff215615ace566a67ad308ab5b2e4e

SHA256
e91a122292ef6457aecc39464cdd933c6a9b550ee6fa04090d0f777be1dbaa2e

SHA512
ccbd27acd387da62b005b904cc0f5899def96c7a10678e7ab346cf9c30a45b267939f5dfbdc088ab4dd47c52810c643e020658dbb556ac45049f291eaa04ec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
83950865c86d885c6dd72fa81a2c210c

SHA1
cdc884b5488e0e763b3b44bf58fa6812e520d0ff

SHA256
2db448ccb3921b4ae4afcb83ba1f05847a366dd7858380e80c01ad673787722f

SHA512
0e2e9b966abe4119f4f64eecc8b623c9b0e39ce2dcac78c0a56dfde0a75e28e5f9abba4b81cc8f906e5115c2aca64641084b74ec8c76c8fd8a586a48f7cc0956

Download Submit
memory/776-13-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-8-0x00000000025B0000-0x00000000025D2000-memory.dmp

Filesize
136KB

Download
memory/776-26-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-25-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-1-0x0000000000E30000-0x00000000011AA000-memory.dmp

Filesize
3.5MB

Download
memory/776-23-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/776-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-3-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-21-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-4-0x00000000001D0000-0x000000000020E000-memory.dmp

Filesize
248KB

Download
memory/776-5-0x0000000000C60000-0x0000000000C86000-memory.dmp

Filesize
152KB

Download
memory/776-17-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-16-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/776-14-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/776-12-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/776-11-0x000000001AFE0000-0x000000001AFFC000-memory.dmp

Filesize
112KB

Download
memory/776-9-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/776-10-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/776-6-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/776-7-0x0000000000890000-0x000000000089E000-memory.dmp

Filesize
56KB

Download
memory/3056-27-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-18-0x0000000000960000-0x0000000000974000-memory.dmp

Filesize
80KB

Download
memory/3056-19-0x00000000003E0000-0x0000000000414000-memory.dmp

Filesize
208KB

Download
memory/3056-20-0x0000000000460000-0x000000000049E000-memory.dmp

Filesize
248KB

Download
memory/3056-22-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-24-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download