hxxps://drive[.]google[.]com/file/d/1jxA-mIstYJisQJNb0NMzJFXLHrnHyp88/view

Analysis

max time kernel
37s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1jxA-mIstYJisQJNb0NMzJFXLHrnHyp88/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
137	drive.google.com
138	drive.google.com
139	drive.google.com
140	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3312	msedge.exe
3312	msedge.exe
4988	identity_helper.exe
4988	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5344	firefox.exe
Token: SeDebugPrivilege	5344	firefox.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe
5344	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5344	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 4248	3312	msedge.exe	84
PID 3312 wrote to memory of 4248	3312	msedge.exe	84
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 1420	3312	msedge.exe	85
PID 3312 wrote to memory of 3544	3312	msedge.exe	86
PID 3312 wrote to memory of 3544	3312	msedge.exe	86
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87
PID 3312 wrote to memory of 4848	3312	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1jxA-mIstYJisQJNb0NMzJFXLHrnHyp88/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9931e46f8,0x7ff9931e4708,0x7ff9931e4718
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,1480449192910537600,12850759644461338047,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:5956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1270fc4-bfaf-4d21-8ed2-353bb29c1e73} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" gpu
    3⤵
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9859e2c0-4e7e-462e-b34d-ef955b7e224e} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" socket
    3⤵
    PID:5604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2880 -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2676 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2f60510-5b35-4786-8864-de48c0057e26} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" tab
    3⤵
    PID:5984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67da838-b563-48b3-b5a5-a349ee0a50d8} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" tab
    3⤵
    PID:6124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4668 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4588 -prefMapHandle 4516 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6268b2f3-798f-44d5-acb7-71965a52d6cf} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" utility
    3⤵
    - Checks processor information in registry
    PID:6484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5316 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ef28b1f-aae6-4087-a75b-b352c0482461} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" tab
    3⤵
    PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c26d4406-9890-4041-a075-9b66edb8bc2e} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" tab
    3⤵
    PID:6496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20d6ab43-4114-46d3-86dd-676fbe88a274} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" tab
    3⤵
    PID:3596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -childID 6 -isForBrowser -prefsHandle 6112 -prefMapHandle 6100 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b0a2fff-8755-49c2-8a15-a2e4173ba136} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" tab
    3⤵
    PID:6748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -childID 7 -isForBrowser -prefsHandle 3724 -prefMapHandle 6136 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adb15c70-73ee-4525-98e9-3e1b5a495c9e} 5344 "\\.\pipe\gecko-crash-server-pipe.5344" tab
    3⤵
    PID:5564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
f92e954e1ecc86cb9390aa0b52aa4c5c

SHA1
08db86a515ffb47e04f9c8b63af2f818ca36897c

SHA256
8e966d6502a6444b70abade8691fc133375ecb226c15682d49c2677366ff2b97

SHA512
2dd625cf8958031a3531f572264655693695756a8ce4aeaad1603f4ba12514e5667580786eed14dcbaf7f1d3e010f008ed8ce08b234d2be4096b304cb58239f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65cfe43a82aa0091489c743b54d66ddd

SHA1
ea1254491ecdee437fe8e8b03d4a0fd0a5a4f8c3

SHA256
3bd5df7c15f273b158c4d157337adeddf160d2811e83ee8a65cc5fa35a445c27

SHA512
3f42638ddaf893166476f97fa7f74345e184d9a1c255ebf169005a1e8173438da177ffc03accd4ec8e7f255dcc3e922613deda11ea4b0a34bd4acea8020f239a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
882290506b8219ec2c5b3352340adfad

SHA1
89627e02d30aec677e0dce2961b17f5f8481be76

SHA256
f9ce9ab429ec0ec4a20128ddc03b91912a4d18fce413966987c10da0caffe865

SHA512
6ff83310f1717754cfdc1f33bb4d893375f4ccb70370c54af17ba68f2a6ea2cc883a5991e688a698c393160042b8f90c3f0d87bc5619933105f8d68cccdbaba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14ae1c779c0f81d663edac6f2b8fe44a

SHA1
1f4149a666ccc66d60d32d19ab14621f54f85f39

SHA256
ec6af823500ee206e24622e8e3eeeb6195a117c2c9f9b57ad6d364a4462622f4

SHA512
8a6ba232a3094ca8078d7b02968dad050a9cb38f8c6e3d4d9d318a535308bb23b44df0292ef593f906b5b806c5bd76eca464283626ed5f0f8bfe94346cc82425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
02cb69bb9c08112491c2a1c2d7fbc946

SHA1
ef09294c20df6f8625aba376b1bbe03f1cbe9885

SHA256
37ec250e5ceefacaa0269ad9d2fea65acbdc0b60f359526fbb097d86f6a7ae89

SHA512
bdde5b0c5162b5fdc3c2bb428dfbaf9993661060d563fa82de6a8f9c225a8fdf296b8881fd6996879d9047e2165d72e52b4d867c1ea1dedafc496304f1752d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca35052f8ef5f5859b9c900c92eb3112

SHA1
c6ff6a8ca1c779d44a9036cc99417df4a2d90156

SHA256
c3c724b53e3ee603859aa6a1e2daf01a135746773ec19552224e8724a3d043e7

SHA512
7726100387070df8ffd154a7af2ec48658e4dd7795df59cc62389e37d8a2a4dad351d42bb5fa95e7892fb2c3a8c124340e8415e08e906ff46234a58c544bb380

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
df54724374f199376072ed7cf290ead3

SHA1
10800eac621eab8f93ac351a5a542e50eb433ab5

SHA256
8b3f666d884e7291278aee9d39b5ad20b30515abbd3f5a2a0306f2cd513acb8e

SHA512
efa0b154c14819a9bea9e490219885c4139c8aded7c2996bfa98ca1f7ee87ffbcfeff8115d4b6c367c9d65bde941aabe18f3246ac954412a2f90af80e0ec3ad6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\2ED8C536ED54696E480B08B18A30229434627B9B

Filesize
50KB

MD5
3a6a1a67e99bfa22038eae64721b74f8

SHA1
bff8ff0e15cd9d50c27de560a22c7f370d40cb25

SHA256
b733cad18b8ece5477fd749603495c3b5a3d2ad11f42fb0f91b34014e8baffd3

SHA512
bc6c82a5da92008d18da47ae902be10ed24ad9df425cad070e6ad64b1e3ead0f1d52ab67f09932fbbb4d5fd10906f4a5eb77c5fdfdf1432d67ef8ca8fcda9ee5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
7KB

MD5
37b0cefdaa323528182df7645688dd8b

SHA1
7ab7538411116b674bd109d2283be3812ad21a18

SHA256
23eb239f9a580ab052364d1143636db1c52bdf5759dcad88d3deba6f6fd2deef

SHA512
ca509053076f81092f60c2bbb128fe54896b5a3dfdcbd43080f9c520b58a520a4ca98df8caae1f9dc2040310fef64f89a489ca9626e27fd2eb479a426d53d955

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
634b31624632c3f96be9e25faca318c5

SHA1
0ef6a9f378b8fd8200c33c2e12780530fa412ccc

SHA256
85d81993f55b6f041d8d111c71feacb9cddeed1447cd80c5bbecce0c10a8131d

SHA512
4746166b9cdb93c5893c3e854f4f2499e615e0201fbd26c1833eff411d84cac8e0922bce411321d08bc4245edcf083165d65b7b4b3f8812488c95f8f25a69adc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\bade90bd-0b1a-4476-b74d-472ecbb72046

Filesize
27KB

MD5
e81d1830d518b95735d2732d0d8a11a2

SHA1
87629d9fbf306e9e34300a33493170982000e880

SHA256
ad140f6cf33f652ce29fef4c42b42a985c9a8ce8010f8e7438e73cbc3e8ad03d

SHA512
5b66fc2ce9546e25cbc329166167b6cecb8ef1a6901c66e60d5bb84b211a09242ed4c8f905a13feb01dff5f2bdedf4bbf00412704efdf18153b619ff883f832f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\d22ff9d8-ae42-4fca-9f93-c715e6f56ad6

Filesize
982B

MD5
ed023484185600a38555f81d4d3b5708

SHA1
766dba70b41dfb3e412018b455d1066e129b6990

SHA256
22394d45781cad00e3b27df6caeeea446bf8b836c1dc007a665b9298c09358d9

SHA512
4de47f0323f6e6be0d8080f137ef07eb867b76e1838f36d2d2b4152e51236a6f392307fb72b998167800bf3c38fa63536f1919f2dbc80a9bb8b1f3abf3c45b51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\ee6f7976-d1f7-460d-a4d0-be98b1b3cd08

Filesize
671B

MD5
a9ab6a85301d021136c02ac734cc61ce

SHA1
df3c04e656a694ba2f7d818ea9bea632f01aac3b

SHA256
896406ddb6ed426ada1e48ce4c64c39cf1cb9de34c53a50e877864b9d971519a

SHA512
ae6bb3a8a266d8c06e7e2ec03cc2da0ecbfe3dc26472fe26165190c9375a9b7d2f7304106cf789fab687d7d79a7f75425940e78d4a8f2cf1cd2150fa90f3857e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
11KB

MD5
e82f038889e793b2c0ab5590b8e2431c

SHA1
71f83343fc68b32cc6de7ca127e8619eeb8b5531

SHA256
7e5d835cd78f6e68ec25b3ebd7f94da0db308b054443c30c69eaaf3d64c4c5a8

SHA512
453b13ca526a44c3c68b396dc573d89698c19f197bbf33baead2007d9c641da2ab4f56e1fa38029e208e3b724efa658bece3daeb110f114b1960c32819ce95da

Download Submit