Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 21:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/blowcrazynofex25/blowcrazynofex25/releases/download/latest/Git_softwares_v1_7_3.7z
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/blowcrazynofex25/blowcrazynofex25/releases/download/latest/Git_softwares_v1_7_3.7z
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 848 msedge.exe 848 msedge.exe 1676 msedge.exe 1676 msedge.exe 1504 identity_helper.exe 1504 identity_helper.exe 5884 msedge.exe 5884 msedge.exe 5688 msedge.exe 5688 msedge.exe 5688 msedge.exe 5688 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 6088 OpenWith.exe 5528 OpenWith.exe 1960 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5860 firefox.exe Token: SeDebugPrivilege 5860 firefox.exe Token: SeDebugPrivilege 5860 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 5860 firefox.exe 5860 firefox.exe 5860 firefox.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 6024 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 6088 OpenWith.exe 4620 OpenWith.exe 3568 OpenWith.exe 5340 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe 5528 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2176 1676 msedge.exe 84 PID 1676 wrote to memory of 2176 1676 msedge.exe 84 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 4024 1676 msedge.exe 85 PID 1676 wrote to memory of 848 1676 msedge.exe 86 PID 1676 wrote to memory of 848 1676 msedge.exe 86 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 PID 1676 wrote to memory of 3740 1676 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/blowcrazynofex25/blowcrazynofex25/releases/download/latest/Git_softwares_v1_7_3.7z1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf58f46f8,0x7ffdf58f4708,0x7ffdf58f47182⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:22⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:82⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:12⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:82⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4708 /prefetch:82⤵PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2832 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3064 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5688
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2760
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6024
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6088
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4620
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3568
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5340
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5528
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5740
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Git_softwares_v1_7_3.7z"2⤵PID:5200
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Git_softwares_v1_7_3.7z3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5860 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.0.789379633\283965388" -parentBuildID 20230214051806 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18a0feff-1864-46c3-923b-18c4a00a5020} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 1836 24262125558 gpu4⤵PID:6076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.1.872676263\1192048005" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fa55aea-b8a2-4021-a833-83376eb8af09} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 2492 2424de88258 socket4⤵
- Checks processor information in registry
PID:2324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.2.1999107175\2038041633" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2996 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7188665-ca81-435a-8b5d-f4995feded7e} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 2968 24265060258 tab4⤵PID:5280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.3.1015694788\730363822" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35169ed0-fd79-45be-a8e4-aae4798963b7} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 3600 242665fc858 tab4⤵PID:1312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.4.1783223404\15669167" -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5280 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {843b8094-6038-48a5-8e70-87b09aefe6b0} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 5316 24267d7eb58 tab4⤵PID:5112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.5.1353781121\183855191" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5272 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eff0f39-d48f-42c7-8f63-0991964369ef} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 5196 24267db7f58 tab4⤵PID:912
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.6.1401965423\263903501" -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fed2879-1335-4b48-8e01-cc5ca5c1853d} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 5704 24267db8558 tab4⤵PID:4724
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z"1⤵PID:5048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z2⤵
- Checks processor information in registry
PID:5680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z"1⤵PID:6108
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z2⤵
- Checks processor information in registry
PID:6136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
5KB
MD54f46f38ffea482ce212d499c7047d0bc
SHA10616162a89aa22533cfa3c7902a5ef04d77356ff
SHA256c12930bc3cabf5362786314f44f0a57bfa6b64d07116211908cea0a9c06247d6
SHA512c315f970fa93279a6994d6441a972a23e3d1e59245cca67d0be9e75db2e268382d55549c4ac78540bcd616987f356eb9f7489d7598be930a00e46444bcf415ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a848cef9-bb89-497f-a87f-6e99eebdb3db.tmp
Filesize6KB
MD531acc3e5806fb6f9c184674f872f312b
SHA10777b4e10656b58b992355aea562575d8d1a26b2
SHA25604283c835019b633df43ce6526f341d43204424d567f9308cba969bda3a5de22
SHA51221572f1e9137fc48501da31d1fcfe0e556c1eeab538be8b97a9b2594f192203c30518202ceb330dc079c18eb4524202ef925cb64a6e0153f62578cd0ded6dfd8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5472376290616b1037e84ba81b45dc153
SHA18c958fa0f4c0c69ec785935c2161cb07de67b757
SHA256fd26eebdd4aa949ed22e2ed5b16b5d5152bb693e7847ec5573e79b974d4d6b79
SHA51211f8f0a91177d0720ef57470be9d5db1e8f32ccef2ef806e0cad9ff56d87034d6d31f205e055f4f1df2dd65060a605371c3390d27843474cd81c170ac8283dfd
-
Filesize
12KB
MD5e6b63b04464bee7b77fd46241931f2ef
SHA1822b7ecacd58a8b5a5d255da530734b3c5dd6fee
SHA256a72922f9dd149eabd6e2f43a2c131fabe9ee3ff164e8c37636420108b3fcefca
SHA512ed2b267240302e45895a02c8d2b04765ca37b4bc341295dcffc836cba1879b500730128c8e07869033c15a7be4081935328347dbd31e8d73515c10fb0321081d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD559bfe4f4ec8148d3f42417f63ae0b3c8
SHA1ac4e876a86699e2fb64a7e2050841ca7e6018c63
SHA25689d74aeb1fd20cd77d48b799daffd604939a3543cca62e2745f2184d27f4d0a7
SHA51211e5992ca616625bbd5b1640dcdcf3acf7ae5989da85fa32200b6cf4028e42bcb0daec537a1cf5b76afdf422ab154a6987ad658ef9497094abc9528c0afba7a4
-
Filesize
6KB
MD5adce7b1aaec3e1c77f930224e8b7a27d
SHA1da8c327c9b1e511d1614d956ebcaf80479fd35c4
SHA2567a843c8c6085d5f0e8da3c0f3d50a7b1c73c956bb3f1906f0908c800afae0876
SHA512c19359d66de005c98463256d15cd9c3665ab438ca7d528bc2e043b66b05b2f097a4f56d752b3189ed968f914a256dc756242d57268710df2d5784f39a73f5616
-
Filesize
6KB
MD59ef3018faeee1eba25b53b66433b10e9
SHA10cc0f5e40550b37e172e070896643f7a4f6e1730
SHA256735d3dd9759dbaae0bd6e0f9469dd37e7cc29fc2da84475f921a3e4fe2dae477
SHA512aaefb64f8ea6080c00c108c5d2e515fa7e17bfdd7aa0b23496efa3dbc42ee4985d83a393430163ac5618f705aa7975c9998d52f6da71880b5659c2af49674820
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5a8b8dd7e46f3e1e073a060b46c76cef7
SHA197a54a74c40957a7ede449ae3f656d12130f5f35
SHA256f7effbde1e11afe44f8edc230a2c39f8d06fd815fe51e32405e34aeca4c4988c
SHA512477564d985c4b2d3512608e292384b27c1bea8f5ac117b6ecbd470720fd45f2c533fdc5b63cfe6043fdd2649214a4de67e514ac9767bd2bc38a4c9e473f19eb4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
Filesize819B
MD5722e52775cafb579fa7e7a4da5bab670
SHA15b88d312e108eae4e474ebdcf45ef357820dd509
SHA256eef8735743adb17cf270681a7ac05d1d394270a1d3bfea2b20cfe81438488836
SHA51265baafe10949341df8c6e1466bc67d7e29869d5b3051100525e2d19ec2d1a97b65350a68c2447aea7379806280edf627d516dc9c42cf6ec206de8077ac68fe05