hxxps://github[.]com/blowcrazynofex25/blowcrazynofex25/releases/download/latest/Git_softwares_v1_7_3[.]7z

Analysis

max time kernel
128s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/blowcrazynofex25/blowcrazynofex25/releases/download/latest/Git_softwares_v1_7_3.7z

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
848	msedge.exe
848	msedge.exe
1676	msedge.exe
1676	msedge.exe
1504	identity_helper.exe
1504	identity_helper.exe
5884	msedge.exe
5884	msedge.exe
5688	msedge.exe
5688	msedge.exe
5688	msedge.exe
5688	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
6088	OpenWith.exe
5528	OpenWith.exe
1960	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5860	firefox.exe
Token: SeDebugPrivilege	5860	firefox.exe
Token: SeDebugPrivilege	5860	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
5860	firefox.exe
5860	firefox.exe
5860	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
6024	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
6088	OpenWith.exe
4620	OpenWith.exe
3568	OpenWith.exe
5340	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe
5528	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2176	1676	msedge.exe	84
PID 1676 wrote to memory of 2176	1676	msedge.exe	84
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 4024	1676	msedge.exe	85
PID 1676 wrote to memory of 848	1676	msedge.exe	86
PID 1676 wrote to memory of 848	1676	msedge.exe	86
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87
PID 1676 wrote to memory of 3740	1676	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/blowcrazynofex25/blowcrazynofex25/releases/download/latest/Git_softwares_v1_7_3.7z
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf58f46f8,0x7ffdf58f4708,0x7ffdf58f4718
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,8910878770521064940,10146584683689196330,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3064 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Git_softwares_v1_7_3.7z"
  2⤵
  PID:5200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Git_softwares_v1_7_3.7z
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    PID:5860
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.0.789379633\283965388" -parentBuildID 20230214051806 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18a0feff-1864-46c3-923b-18c4a00a5020} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 1836 24262125558 gpu
      4⤵
      PID:6076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.1.872676263\1192048005" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fa55aea-b8a2-4021-a833-83376eb8af09} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 2492 2424de88258 socket
      4⤵
      Checks processor information in registry
      PID:2324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.2.1999107175\2038041633" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2996 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7188665-ca81-435a-8b5d-f4995feded7e} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 2968 24265060258 tab
      4⤵
      PID:5280
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.3.1015694788\730363822" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35169ed0-fd79-45be-a8e4-aae4798963b7} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 3600 242665fc858 tab
      4⤵
      PID:1312
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.4.1783223404\15669167" -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5280 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {843b8094-6038-48a5-8e70-87b09aefe6b0} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 5316 24267d7eb58 tab
      4⤵
      PID:5112
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.5.1353781121\183855191" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5272 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eff0f39-d48f-42c7-8f63-0991964369ef} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 5196 24267db7f58 tab
      4⤵
      PID:912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5860.6.1401965423\263903501" -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fed2879-1335-4b48-8e01-cc5ca5c1853d} 5860 "\\.\pipe\gecko-crash-server-pipe.5860" 5704 24267db8558 tab
      4⤵
      PID:4724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z"
1⤵
PID:5048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z
  2⤵
  - Checks processor information in registry
  PID:5680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z"
1⤵
PID:6108
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Git_softwares_v1_7_3(1).7z
  2⤵
  - Checks processor information in registry
  PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f46f38ffea482ce212d499c7047d0bc

SHA1
0616162a89aa22533cfa3c7902a5ef04d77356ff

SHA256
c12930bc3cabf5362786314f44f0a57bfa6b64d07116211908cea0a9c06247d6

SHA512
c315f970fa93279a6994d6441a972a23e3d1e59245cca67d0be9e75db2e268382d55549c4ac78540bcd616987f356eb9f7489d7598be930a00e46444bcf415ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a848cef9-bb89-497f-a87f-6e99eebdb3db.tmp

Filesize
6KB

MD5
31acc3e5806fb6f9c184674f872f312b

SHA1
0777b4e10656b58b992355aea562575d8d1a26b2

SHA256
04283c835019b633df43ce6526f341d43204424d567f9308cba969bda3a5de22

SHA512
21572f1e9137fc48501da31d1fcfe0e556c1eeab538be8b97a9b2594f192203c30518202ceb330dc079c18eb4524202ef925cb64a6e0153f62578cd0ded6dfd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
472376290616b1037e84ba81b45dc153

SHA1
8c958fa0f4c0c69ec785935c2161cb07de67b757

SHA256
fd26eebdd4aa949ed22e2ed5b16b5d5152bb693e7847ec5573e79b974d4d6b79

SHA512
11f8f0a91177d0720ef57470be9d5db1e8f32ccef2ef806e0cad9ff56d87034d6d31f205e055f4f1df2dd65060a605371c3390d27843474cd81c170ac8283dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e6b63b04464bee7b77fd46241931f2ef

SHA1
822b7ecacd58a8b5a5d255da530734b3c5dd6fee

SHA256
a72922f9dd149eabd6e2f43a2c131fabe9ee3ff164e8c37636420108b3fcefca

SHA512
ed2b267240302e45895a02c8d2b04765ca37b4bc341295dcffc836cba1879b500730128c8e07869033c15a7be4081935328347dbd31e8d73515c10fb0321081d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
59bfe4f4ec8148d3f42417f63ae0b3c8

SHA1
ac4e876a86699e2fb64a7e2050841ca7e6018c63

SHA256
89d74aeb1fd20cd77d48b799daffd604939a3543cca62e2745f2184d27f4d0a7

SHA512
11e5992ca616625bbd5b1640dcdcf3acf7ae5989da85fa32200b6cf4028e42bcb0daec537a1cf5b76afdf422ab154a6987ad658ef9497094abc9528c0afba7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
6KB

MD5
adce7b1aaec3e1c77f930224e8b7a27d

SHA1
da8c327c9b1e511d1614d956ebcaf80479fd35c4

SHA256
7a843c8c6085d5f0e8da3c0f3d50a7b1c73c956bb3f1906f0908c800afae0876

SHA512
c19359d66de005c98463256d15cd9c3665ab438ca7d528bc2e043b66b05b2f097a4f56d752b3189ed968f914a256dc756242d57268710df2d5784f39a73f5616

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
9ef3018faeee1eba25b53b66433b10e9

SHA1
0cc0f5e40550b37e172e070896643f7a4f6e1730

SHA256
735d3dd9759dbaae0bd6e0f9469dd37e7cc29fc2da84475f921a3e4fe2dae477

SHA512
aaefb64f8ea6080c00c108c5d2e515fa7e17bfdd7aa0b23496efa3dbc42ee4985d83a393430163ac5618f705aa7975c9998d52f6da71880b5659c2af49674820

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a8b8dd7e46f3e1e073a060b46c76cef7

SHA1
97a54a74c40957a7ede449ae3f656d12130f5f35

SHA256
f7effbde1e11afe44f8edc230a2c39f8d06fd815fe51e32405e34aeca4c4988c

SHA512
477564d985c4b2d3512608e292384b27c1bea8f5ac117b6ecbd470720fd45f2c533fdc5b63cfe6043fdd2649214a4de67e514ac9767bd2bc38a4c9e473f19eb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
819B

MD5
722e52775cafb579fa7e7a4da5bab670

SHA1
5b88d312e108eae4e474ebdcf45ef357820dd509

SHA256
eef8735743adb17cf270681a7ac05d1d394270a1d3bfea2b20cfe81438488836

SHA512
65baafe10949341df8c6e1466bc67d7e29869d5b3051100525e2d19ec2d1a97b65350a68c2447aea7379806280edf627d516dc9c42cf6ec206de8077ac68fe05

Download Submit