hxxps://drive[.]google[.]com/drive/folders/1sNLbiR1dxFmbsNJHNMsi0c1wBHsBAX77?usp=drive_link

Analysis

max time kernel
153s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-10-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1sNLbiR1dxFmbsNJHNMsi0c1wBHsBAX77?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
3	drive.google.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133737798919683244"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DBL-Extraction-Tool.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3248	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe
3892	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3248	OpenWith.exe
3892	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 776	3180	chrome.exe	79
PID 3180 wrote to memory of 776	3180	chrome.exe	79
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 2704	3180	chrome.exe	80
PID 3180 wrote to memory of 316	3180	chrome.exe	81
PID 3180 wrote to memory of 316	3180	chrome.exe	81
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82
PID 3180 wrote to memory of 1316	3180	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/1sNLbiR1dxFmbsNJHNMsi0c1wBHsBAX77?usp=drive_link
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa626dcc40,0x7ffa626dcc4c,0x7ffa626dcc58
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,14029360583877446084,4323595243183323401,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1740,i,14029360583877446084,4323595243183323401,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2060,i,14029360583877446084,4323595243183323401,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,14029360583877446084,4323595243183323401,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,14029360583877446084,4323595243183323401,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,14029360583877446084,4323595243183323401,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,14029360583877446084,4323595243183323401,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=736 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1680

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\DBL-Extraction-Tool\dbl.jar"
1⤵
PID:3676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3248
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DBL-Extraction-Tool\README.md"
  2⤵
  PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\DBL-Extraction-Tool\README.md
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3892
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd17feb3-2d2f-41fc-9240-ca56405076b7} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" gpu
      4⤵
      PID:2208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a8c84d-84f7-4420-8213-a3d7ee466213} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" socket
      4⤵
      Checks processor information in registry
      PID:1680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 2576 -prefMapHandle 2768 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56f7588c-b0f0-4e51-a2ab-8ecd1c59de3c} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" tab
      4⤵
      PID:1972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3456 -childID 2 -isForBrowser -prefsHandle 3332 -prefMapHandle 3348 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69842839-ff68-4fac-9d2b-0bb5ffa81cad} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" tab
      4⤵
      PID:3768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4100 -prefMapHandle 4200 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f188a155-3897-473f-98d9-92a192555d1e} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" utility
      4⤵
      Checks processor information in registry
      PID:4656
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5264 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {205cac58-25ae-4598-abb2-fed636334e1c} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" tab
      4⤵
      PID:2372
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebf097af-25c9-464a-8ee0-93ad63da79a5} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" tab
      4⤵
      PID:412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5516 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f61678cf-cd32-48fb-920a-2e9a76d780de} 3892 "\\.\pipe\gecko-crash-server-pipe.3892" tab
      4⤵
      PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
923fe19d960cfdaf65a641136b7ba1e0

SHA1
1a97a415872095b13b3104fb913a940b6f75c471

SHA256
44e8664f4eae62054c51d2e31e359e7185fceb88573f8cf486e8c64a3bcd901b

SHA512
cd766ce7de7e4cb7ca9e7527ecde2498204b3dd54f5e59c2bc51e991fe7aaed23caeeba37e1eafc7575e0edb87cfaf81d6bd2e4d9455199c66259235c9ca0b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
5dc2559599779c55be6b81f0bfe797e1

SHA1
dc9ce6631b28596445ff58a5ed988caf8b9f997b

SHA256
2b87e62fdfb2d620af0c598b241853330d4688a5bd781a0373d73606151405e1

SHA512
a110ecb5a18f647d9bb5d71c8692763b9e8240553332f12362b6df3c95a3283feaf8f9ff261308e8b7ac7179ec2609e14e74a27223c9b0d311606b21be7b551b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
b5468628db9b8127d4b756adec58f37f

SHA1
255e4847b46da075b6306a95ca5a2ec9efa3df22

SHA256
c302f1832bb209269fa3942a1d3af56d29d579bd90a6e4452400dfb87f401fa5

SHA512
d49e74dc6678d7c6a863e04143ddef5df868d639b00cd4212bbb3247c2c2237af59aa37544d2b58f38db5fd24be1985f9912579f16383ce651138d009b0864cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
07ab39fa19c208bcf3a8e25159da90c9

SHA1
d9a07fe1882ed81fbfd98bd769354a1e19014f8e

SHA256
e38b125dc79936ab5f2ef378c5f5e8ad3abfde56af698754d16c2c5594748f66

SHA512
5f77511c4c9df11da57ac90d5eaa4398201f96fed4b8ccaf664d219ccc062910c92c347d15382bece481a31b1f54126096f0b002537f702ffeb19589330cf279

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
e2578c441f32505eedc8c8bd05a9e41f

SHA1
975d73228bf65b0c6f002afb2aa98174f7dd1e74

SHA256
136d222b2f310c1bcc5d809367c1346c718089c92afe092f2c5e59bef8ff6a3c

SHA512
dc4d622904de9c92693d04a9fc72d0cfda9a5578440e62f7c0a17e2bd8ca2acd0ee496a5cc5797db5db37b161ff61117a290f71ccc66b7711120d38f55bf2ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c02b1daf2d4d0e90198221247c2c6c05

SHA1
1f6d3b41ad4fd34cf358cd518097c8c5b45b7cc9

SHA256
2f5d085cb067d27c2333a8abc93d2091f9270a1316e056c0a29ff45e26679c10

SHA512
9e14c4d8d208658224a0a541f463315e9c86a75226dc5007d7cc31d32f9e47c67201ae88650b41b9778927a92544535eb6090a421576275f5112c2d6d2f7c368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
138dcba13e2d1f9b7363293a365cd5ca

SHA1
97a476d5f1e2add9c357c5fe672a660486f53720

SHA256
a2aa6257f963208efe36b6aeef6a9fd6591d14c370bd7fad107a14034c20b750

SHA512
023b29793999242785f7807f568837c3ccc343db1773f58c93f926dfea93fb3b379e09b8634fcca5fb621f32c59c543f4feec4245a49d020d3c15697324a312f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11192f8daa6af0c489971890a8868593

SHA1
c5069a5f452f03e267126ab3b6515ffed5201723

SHA256
ca518ad23ed244027862ee09900d79f898293cd8b4131ac48d881709d3a9007b

SHA512
49561e1eab8bb7f3c8de0ed03da1c8c320b4b43dc09b745410afc309f3e6f3d5e8003c596ebe84069d3619f7e91eed74f2305ce6cc4790e8e6d33556d4c55a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0aa040de9251a4be0ef3e8997cc9d6cf

SHA1
f0973d0ac878ba2c7b0bfbe1c65cf22ca6073087

SHA256
4273bb726b427d0e964fa47292e824f55f5de2cb8928891b32a515b53d2eaab2

SHA512
fa38958e3f00be22ada5f4458511abfd7532f94f9c224061d6abca3083bdae4228e3e8532251a538550561fdf877e99acb6f006666cae3c929e334b3ff9d23df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c73482063e899c7ef7c31e786105af53

SHA1
f3de1a962f74375d72b579918bff56d97f7b66a8

SHA256
5ea8ce44097211f106458e758cec58fbf9396e096a266787aed01194c3efb8ec

SHA512
9f0c1b983ee49ce62cfea070d648758691f9d71f8828856e21c81b539fb70a31eaabbf35889b33dd9e964bb4e8b246f0cd85b6c6de9c62cc1f1e79b662f01f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fba299876a82f88cec1e27416765e7d4

SHA1
ed598fe32774bf7bdb0b83291d5f7f2d9855de2f

SHA256
d8d897a116694077471bb29af3f90aa9290f83837a9d41931f9d8e0b3e3e6b78

SHA512
2857d630bd7c30f966606890c95bb37db47d914f673430d394f6236ca22826a02e5d1f749ab05726b9e4021b463ee159f3c7e34394c38dcff041f640c5fd6abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d73f4dc32f0cfec19012ef8996026a6

SHA1
93dced9ea563e6b307dbb6f98ad8fa89d34af85b

SHA256
8b2a7738377d7dbcb26798ecfd19aa330f35e5c6da06d4bccdc5594d8544b3cf

SHA512
bd6ec230c85176cf3a686fe23bbbe3445d410baa32a59730426d5290855f39c76e341e2b97a88b5d113a1122f04ff7445c6bcf0b7025277bc74e48bcc156095d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
aa837f38f2743809e104eff6487cb790

SHA1
eda581e97e56a9bb6504944ab5fafa6ed5a19c86

SHA256
ed00b4da6d5b613dc0187b974cd68aed101c31e15e8d31dc4581a0a5006660a7

SHA512
e2d9c0a88e0ffe63e7d612edf5803d5608a2e1964e528da84bdcd8e1e6a97c287da0fdaf5d497bd3367679c84f114ae32fd5cefded2f2f82ec2a318742d46fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
f1f5e780f0baa6d11c3d5f2269a90166

SHA1
78bf82a3ef322539b15e86d5bac1a0caa2507541

SHA256
17e045fb27d8e102f32bb039d2811e301700f70a581bf2f49615275f7b519887

SHA512
125a4cd86b8e5528682347a10d147cf3a4720b4983089b91b092885a5879f910e3e534582e764624adda2dcb882a231a371f660d05162e6d75c00fcc2151706f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
fc6312174ac4f55fd2ad3add59437a43

SHA1
9abf4a330a4984db7fae75fbcf9dae0c969525f5

SHA256
a8a4513a6822fd423d13874e88aa0b42e182b575e504c19833c526b08bf525a3

SHA512
6d8d36275c735e0340e3981f302b85c457800cc75f7083d301c7ae307905c2ed7734c8e9e9792670a5f6f9e76677366d4ce577202033eaa8c38c59bafe9777dd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
20526d98ae70563de9aa8a1b335f5026

SHA1
891f607f5b0f615167d0df26e3602f7d4bcc2137

SHA256
b5ff318953927df24f53a0433106d6e8afef1e4661df80b7f3af4d0418443769

SHA512
8b282d69ad4972429f648e056c75e4f495f909b89054899eb55f16dec6007d3b42e2f51b67fbf09b51afebfc9d8756a2db1cd45143eefa0537a4dc8effbac94f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
21507b1430b121f2759f91995f27db44

SHA1
1fb68f6642a83b1c2af57f910e60abdc58a5ac71

SHA256
8d08a90755a48b3841eb046fff825494ba25febd48134efbf61b760da00c0e24

SHA512
5b7ebd2037bed74b16236656132b2d78118744df248f75140fa4d735b1fd211943dc5dc173d8b8ad181b517767a67b387823fb1004cc6df511f4646890c957e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
0c156c4e4ad221cb48983210973533ad

SHA1
7561b863037b05f700cf416d3052812576bf5c24

SHA256
761818615c42afc6445b352cf79d102c613873b59c0b72e68358b4344047ce66

SHA512
952648d168c06cf3c552f99f42e032c4830de55e85e1edb5245531e62ed992ce0be43a174e9a1dbb9572e04c39b9e049bd3dac93f3703320155bef62f8087da0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
1acf4598488220d64cd116598df61426

SHA1
3b3101bd8688cd80beaea85140f44c8050019f95

SHA256
44ec5efd12140690d8a34e93fd0e86991fe0ebc4c9701750bbc5e6192b3f2c06

SHA512
4ba23e4db42707016aa8532f97f37b271fa851956cd3f6e0cead49e54a67c94798459a98cadb9774ed8a6dd65e03c50b6b0c77f50b669ffdf770a6d896aad22f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\c0df4bcf-46d5-4d87-9726-43928c5264ea

Filesize
982B

MD5
3fca19bacb3aaa958dd9446e2c5e0174

SHA1
37b63fe5496bc089c7a03588d95a4d9c4ef7b821

SHA256
090ade104ac260db0648429f47f7f0fcbc48a2b52862dabb8274e31337c49ef6

SHA512
9d8f763123791b401014e2f752289b6706a283b45ba37a9b169447888df5d3f4ca73381fa0ea6fcd741a7db6bfdc68d0f3f6cb2ff642ae5635a1d82fe19ea8c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\c912fdd9-a8f9-48e5-a414-29123c525da1

Filesize
659B

MD5
082fab2f0250d7dbf9ba3b28f1820395

SHA1
52a948261bf35151d608a367a5fd1ca208bb2942

SHA256
3b7da78b262b4e51235d5e830455e5bc76c2cfe297d1e050078c70acb83de4cf

SHA512
a9e856581c4468410c2abad86bed92e66c44c73cffcdd2b129340f17d06e1f22f623eb36a70021e4c4ba212a295162f69bff6ccee5f6299f310c65c0bdec8762

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
11KB

MD5
a233da86cafb218a6229aaaf792042dc

SHA1
f210688f78f83513c89ef25abb6f29cfa9334ec6

SHA256
3c334bc6a76f64a99eea2e2d4e7cddb4d9a521a5b2ca1f40d04be2909fc0bedd

SHA512
a545e5acdce9ee11d207d432c094630d54acf1724aad19a9cee14240db74dec700e4a8056461451a2830c3391a30c28308dc9d6b0d162fbfaccd1aa65668f33c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
11KB

MD5
33df5a48e223c7e1169a74ec5873e9e2

SHA1
f27ce3fb7036ae45bebf639364bd1547b2ba03d0

SHA256
50f1d8844cfbdb8399b7e0fa28eeebd32f3a5cbd3e8e2561a43fb0cfdccadc8b

SHA512
ae1bf0735ebf67c74b812eacea20590d0efc97c8b1a7b5260dc6a420098d13831ffcbc9b06e373daa9f45d8bb9e54386158f93726cea092b42954c92b28f1a5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionCheckpoints.json

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\Downloads\DBL-Extraction-Tool.zip.crdownload

Filesize
4.7MB

MD5
bff892b7381c6dca7aa9ff5bbf533c23

SHA1
32bec169242ef722a8fbcc642a0465f61ab8f69f

SHA256
57d1a8643a2a2d47c47bb6f41f40497686b4811c081a45bbbd0aedaa06d1f6df

SHA512
47e8414630793fd7d93c72b6a0437948727d65e6b127745b878b995871d9f8ab73570a8e5e98d13fa75e8ae6eeedbe7699a707acc9212c5079bc607ab29b72be

Download Submit
C:\Users\Admin\Downloads\DBL-Extraction-Tool.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3676-329-0x00000238E4CC0000-0x00000238E4F30000-memory.dmp

Filesize
2.4MB

Download
memory/3676-328-0x00000238E34B0000-0x00000238E34B1000-memory.dmp

Filesize
4KB

Download
memory/3676-326-0x00000238E34B0000-0x00000238E34B1000-memory.dmp

Filesize
4KB

Download
memory/3676-317-0x00000238E4CC0000-0x00000238E4F30000-memory.dmp

Filesize
2.4MB

Download