hxxps://drive[.]google[.]com/file/d/1zD36-Czf7HwgyaPy2hR29KxZuGqCEjqw/view

Analysis

max time kernel
71s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1zD36-Czf7HwgyaPy2hR29KxZuGqCEjqw/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
6	drive.google.com
7	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Fisch Macro V11.ahk:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
128	msedge.exe
128	msedge.exe
1128	identity_helper.exe
1128	identity_helper.exe
2176	msedge.exe
2176	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1368	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	firefox.exe
Token: SeDebugPrivilege	1032	firefox.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe
128	msedge.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
1692	OpenWith.exe
4584	OpenWith.exe
2392	OpenWith.exe
4472	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1368	OpenWith.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe
1032	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 128 wrote to memory of 4696	128	msedge.exe	77
PID 128 wrote to memory of 4696	128	msedge.exe	77
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 908	128	msedge.exe	78
PID 128 wrote to memory of 428	128	msedge.exe	79
PID 128 wrote to memory of 428	128	msedge.exe	79
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80
PID 128 wrote to memory of 1604	128	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1zD36-Czf7HwgyaPy2hR29KxZuGqCEjqw/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d7083cb8,0x7ff8d7083cc8,0x7ff8d7083cd8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,15481504383321044686,15758034517413147355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Fisch Macro V11.ahk"
  2⤵
  PID:1236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Fisch Macro V11.ahk"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1032
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84fa0e0f-0630-4b37-a537-15411d65556c} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" gpu
      4⤵
      PID:3912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80070e6d-2459-4947-be22-c552db8107a9} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" socket
      4⤵
      PID:2936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3004 -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2992 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fa0f5e3-2dd3-417a-9c03-682d739dd824} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" tab
      4⤵
      PID:2952
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3932 -childID 2 -isForBrowser -prefsHandle 3924 -prefMapHandle 3920 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1177b934-8a64-4880-b69d-2fae5b0362e2} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" tab
      4⤵
      PID:5108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4668 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a06cd7c-fb15-417d-8f9a-6c2db65604ba} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" utility
      4⤵
      Checks processor information in registry
      PID:5536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {716e82ff-b1e0-4ddd-b528-456a66a0ce6b} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" tab
      4⤵
      PID:4820
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {692017e8-1f4c-4e41-940e-b67e00dc162f} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" tab
      4⤵
      PID:5224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5744 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69b79bdf-2943-4050-a633-d46a80303d7c} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" tab
      4⤵
      PID:5208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 6 -isForBrowser -prefsHandle 2764 -prefMapHandle 2588 -prefsLen 30145 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee7a144-bfd1-4059-9cb1-fcc1404f82bd} 1032 "\\.\pipe\gecko-crash-server-pipe.1032" tab
      4⤵
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
866d1df74b04230c693536bed5003153

SHA1
51a9b66f24d81c1d9a102d600c6470d6a941d6fa

SHA256
40c09e669249b5d45281ee7a46f074c7c0601d119f3bc39bb893057f024f0019

SHA512
3cc2257fe269af933841facd1366e924eff6dc0d4840c4348ba996c04b7dd5238ce15f99169014c9d9b013baa64774fb0e8422c14d8aeb99ccb54fd05bf8360a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a68e8a6d48d248b2d2afd42251202e28

SHA1
28bfc7761fb0a534d257fe3ec41d88167686ad91

SHA256
28943e4fe09af614ea2f3e00fabd173fe3a665a20aa0fc536e529b882aa3d19d

SHA512
a717b54b915f9b986719e035c1ec8903013ca0e0de751d2b67a55722aa37c0148d2c5b6639c41efbad0817e5eecc828fe3bd74c8cc31e2bfef342d31c57244b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6fc96d2b49d746fdce4539165119658f

SHA1
5b732dcae168c42f963b9207aea41d3e26f72472

SHA256
efb284a88a941a0063188c9d4d05200bd6b91913dbe3a0380829974bfbc71069

SHA512
43e3abc1ce14d2bf0d7952f788ca0670adc83d2e760493d67f32bc7b6502874c1b49e5549b9c1afacef95a45d9fa3963fa29cf19dfba8b496e6fcf5403cd92c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f6d8652f6d247fcc8551da5d09e5cfe

SHA1
631a21c8d587a414098ffcdf1b1b60d8d4b9e10c

SHA256
b661a90eb5322726e3f6381b0f9ca5acc9cb3673cbf06bfe447893f8e9e615df

SHA512
5fa2789896b856f6c89aa27b0e04589270cee270ced798f37b7070b73e8225d54649865b7072dce4ac02d904839aa8baa6ffd36c38d62689543ee00736a4137b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7cde102d3b9a924cb7f838f4c752729

SHA1
b1c21c71d12bb6117f6373954d6bec673e3bf5b2

SHA256
84c16bb961246c4364c59a77d248b9f9ac83ae94ecce526ae3a5b9646a03fb47

SHA512
870c05d4cc2cedf7eb1d9d9e18507563d338fca55efb6a2ef4d1bd9f2c84f1ea18d52de13846190336c0da499d5b9e64bd5cb682fd26fec94b0b814039a5f4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70b0e35c952df80c1a25c6b0dca58bee

SHA1
5991b60d505c3daa302ef874edb98d093eb62b14

SHA256
0b9c1a8f80aea0bd804ef3cab7159136b450c7ff0180436453e409f520a340e4

SHA512
c67574d92e0abcd89e98f2d2c61d50c66b491bc98026f97a0cb5890f770cc57b814d8f996c0801b1c0afa7927f48fb6b6f5ba5d417314cca7f3ba52996423563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
d890856e9c8c4c15db1f5699eb539d33

SHA1
3a867ebacdd113781e344d84aa527a542a46454b

SHA256
6a2207f24318e1f162f4edcec87bf53230d8401b2d856660d76b78a1a22aba43

SHA512
b7a90acc89741370d5f6ae81a9f61d96782a9488867ac943bd44d29428366fe987e1434599925917b86a380aea6bad22980ff72812bf5071c347ac2ac1b2644c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
f95a989e4aaa38142a451e6b07582ba0

SHA1
2fe634348add7485a8280e0beb7501179dcaa4ce

SHA256
75a1e5172c68e305da2d184012b15f8f7feb042ba6790a0588ae619a590ac628

SHA512
cee6538ef45e963916f8857f574209425f5e2316503f2c789e83937ef7d446033287edaeac7b7237b6f03844802bd13cf32b6a2b0601b038cb8dd6135d027506

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
8KB

MD5
a6c48837ec2febd40084cab22dc171df

SHA1
e69f38652f8c819cfbe62afb0608fac2e62f03e7

SHA256
46f358a7149630f4e6beda30a1de060868e5949536a7b0eaf07b54634ec39503

SHA512
26937e02b90f891f13640f77a00d7189730e34a2720eac69ec985a21b088d4df561bf4b882fa6193be78574ef2f0cba8e12db2535c5313fd49e4a1f3b77c83f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
eb20a4b19fb974a6c205b8551fa0e5f2

SHA1
7809508cecdfc179dd5549860ed3d47f59ed581c

SHA256
0ea87526cbcd3390c60b304da84d6617c575713f15d7ffb42657c895ce014a6e

SHA512
cf5f255b7512bfc589f134343eb5e523d026905629dbd143fe5c3242098594dec16cf560266026c2cd1844150ca8112161f40634c4d61b5f45c363e6e66af088

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\4d1ac771-1d81-48cd-b62f-c6fe99db30a5

Filesize
671B

MD5
7865cb7cf97f53de18ca4c749d2663a6

SHA1
105c2a4bf8b916af1e1c13a0cfbfb5c7dc91c64f

SHA256
5de8ca9d924c58c1056962218bf0274b78c0088c3cbe17c138173aadbdc57890

SHA512
a8d30a99f9cb263c1c389bb2069162c4ecafb1026b2db09cbfffd261e32d2b7d1c0333c30bccf1f2bfb84f8e5dbbd9753269414e3921e8281fa8ea6c7eb1f48d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\789543f2-a9fb-4d74-80aa-f39ccf0fd0ac

Filesize
24KB

MD5
3fa879fdfeced45473d3dc2c21624eda

SHA1
eb24b32646dec1e8d79c262fdc8e75f9e9323195

SHA256
4d30bfa394ddd6478904439386059e6dfc44354726ec9847ef53a88aa9f38b60

SHA512
cca2277548372be214ce53001451f4f67201ad7802c8a50bd7cf368a4c5174aacd13b22c1b5c58dadde87aad4652314ac2d752880d1f28070fc28acbafa9abe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\bf3b2d38-97a4-4a50-b528-1b20102c934a

Filesize
982B

MD5
871b1c69ea85e72bcfbf6fcc0ee63814

SHA1
efc6724d337174552058646dfe2a74c25589070f

SHA256
3030c2c90f152c80b089e345236cb7a5bee82de071fd4c8dea4036d20e58979c

SHA512
2b8b0fa2858246503a12baaa534135ed7f44ffc23555e0bdba52ae31f1d8c91f82efe2d47c38c4bf4875a8b432a36910acd4091755c4dd0f71f76cab8fc1d81d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs-1.js

Filesize
11KB

MD5
97863f08e58753bb5ee967059ec36b0a

SHA1
9540ecf5c54e664642b9fc5d69a4a8d0955bd2bc

SHA256
8a1d58f1da4d7751441a863b9080963d7046ff1166f49cb610562f9a76278235

SHA512
b5da1133aa12d68fb52bcfef74c369c11f08f24ef2290977c2b8323dac365ecb8ec8236c7b0a1f3bf6cafae97542ce5335f72db5b8b5974496f4a9986c0c9390

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
5c0f664bf5c237406ea306bb5609b294

SHA1
d0899a287a6670194b58e2027b89e9952ec6fe29

SHA256
f116b542b2606ba4017e0dfdc9badaa6f520604bb9a84d65971f4050e3e007a5

SHA512
6e87c5909fcb9197228ec18d672addbd6fd60c74236b55aaff8836d0816a0fd19c8069e25c9dc016ddb830d9378122fa42cbd0b9be89cf6f698a2169e67719e1

Download Submit
C:\Users\Admin\Downloads\Fisch Macro V11.ahk:Zone.Identifier

Filesize
173B

MD5
864013562f874bb9ecfa883dcd4b2330

SHA1
5277220ddc88e00fff3cc75649bdc04c6cdc3295

SHA256
9e27d70795d71bb1dc35603648b32be8cd01409a01fb5f15367849128912ef41

SHA512
5b33b3a0366c51ac4c6c19ab6a2e8b21b2882b173949ecc2bfe786bd7f2f97249439fec185f35e4fbe393e80ef4dcb189ac8d123cb5ae820727633666efeb843

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 99109.crdownload

Filesize
25KB

MD5
fb1aed8c283e69383e94d7e51aad36d1

SHA1
058ee94c6c1c2472ad0aa2d3e795e95b3ac3bb4d

SHA256
5a9220412899a89b12a4e761911a50d0ba27dbd592aea4c227674670ef4e7a5a

SHA512
73b804b0b6bab55ce78427f7cace2bf27b61eb1f37dca0fda66ee5cf21f82d9bbc8ca0a515429ab243f7dd5ca0efca86b5e074ffe7a689bcf7bbb4a1e642f9a5

Download Submit