hxxps://github[.]com/git-for-windows/git/releases/download/v2[.]46[.]0[.]windows[.]1/Git-2[.]46[.]0-32-bit[.]exe

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/git-for-windows/git/releases/download/v2.46.0.windows.1/Git-2.46.0-32-bit.exe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\crdownload_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ᱜ쐞팀蠀⪰汀翼\ = "crdownload_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\crdownload_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\crdownload_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.crdownload	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ᱜ쐞팀蠀⪰汀翼	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.crdownload\ = "crdownload_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ \ = "crdownload_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\crdownload_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\crdownload_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 300824.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2016	msedge.exe
2016	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3456	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	firefox.exe
Token: SeDebugPrivilege	2192	firefox.exe
Token: SeDebugPrivilege	2192	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
3456	OpenWith.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe
2192	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 4560	2896	msedge.exe	82
PID 2896 wrote to memory of 4560	2896	msedge.exe	82
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 4380	2896	msedge.exe	86
PID 2896 wrote to memory of 2016	2896	msedge.exe	87
PID 2896 wrote to memory of 2016	2896	msedge.exe	87
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88
PID 2896 wrote to memory of 2284	2896	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/git-for-windows/git/releases/download/v2.46.0.windows.1/Git-2.46.0-32-bit.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc6cb346f8,0x7ffc6cb34708,0x7ffc6cb34718
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,10083306458914085065,16699853002911463106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:2800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3456
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Unconfirmed 300824.crdownload"
  2⤵
  PID:624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Unconfirmed 300824.crdownload"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2192
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {130afb29-ad2f-4bdb-810d-ec629a6597bd} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" gpu
      4⤵
      PID:4280
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2d4f49-dd05-426d-a014-45765ed5d659} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" socket
      4⤵
      PID:3452
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3268 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e345a30-0acb-4fbe-ae97-88243932393c} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" tab
      4⤵
      PID:3236
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3820 -childID 2 -isForBrowser -prefsHandle 2992 -prefMapHandle 2976 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fff45d03-a85e-480b-b41d-acf4a47ad917} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" tab
      4⤵
      PID:3628
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4492 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4384 -prefMapHandle 4380 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d4f24ac-8f40-4a73-af1c-5d8dc145f998} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" utility
      4⤵
      Checks processor information in registry
      PID:4224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 3 -isForBrowser -prefsHandle 5816 -prefMapHandle 5848 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbf01636-21f5-408f-8844-a85fe2ac6af3} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" tab
      4⤵
      PID:3104
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5992 -childID 4 -isForBrowser -prefsHandle 6000 -prefMapHandle 6004 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd414e63-affd-4295-852e-c78680ffd30c} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" tab
      4⤵
      PID:948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 5 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83fae3f2-31b8-400d-bda2-36111214e5f6} 2192 "\\.\pipe\gecko-crash-server-pipe.2192" tab
      4⤵
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
225be72e4616e0a6c70de6e01f515e89

SHA1
c36bf9d14b4d255aca8ad281913f12ba61855d77

SHA256
c9f64d14c7f5b1d57ef4fd83e1fc2c261662ec51fadb9903b26910ec4bbad522

SHA512
f8ed06455985682525776d9db006b6f98cc3088b241740294b97696f87f525d19aee9445ec5d72352e63a83449e0df76c8cb5f5062b3aff2e05e5a755b827d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_06C93241B0E63B9DC7503E92E68915C5

Filesize
637B

MD5
d239fd152aafef4fff983fcd1663e9b9

SHA1
00ce8266a6088c66dfc5f70d07b2cae57f734147

SHA256
14a59c01d506c6fb7d8cbceb58df7deee9094decc1d56c33396d784fcc6db9d7

SHA512
c419dbed27e80fc4580e795016a53ceadbff196510016cc9d47de5b754167d5840f6c5d256d208364b344a806bc26f1a036c4a9b2be0248a1d3dc1da08511675

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
f827c5a79a9558e70b9b77df835cc180

SHA1
74564e322fac9fe80eae9eef0c10be88d8d7b2f5

SHA256
1115f144e09f96a624f804d4e2ba2826d4e7c20d8d0ab3186d95fd391386b6c1

SHA512
3230d989249e807fe3688683e0028f2c06f7622a7eb6ea58b44756ebef070b097cba1fed75b444e3aa0fd4e3160463b6d28ce2250f6bf467d9889a4efe76b269

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
7873085d69d74f20a8048a2f6c9df17d

SHA1
903c815624626eb43f208e801427ea6bc4c1f4f9

SHA256
fe955babf5562e7e2bbd822e49304989b1c9f77fbe090adc0e3df4dd9c4c3aea

SHA512
ab16d62d06e0520d78adc92867d2d7571060d1a4e5d2f1971c1deedbf0560e2912f8fa3ca852694799603ba7990e0ff03773c1f0b4bc1dee7e99b4d182043919

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_06C93241B0E63B9DC7503E92E68915C5

Filesize
488B

MD5
bc88be6d851492958da176b89ee5ecff

SHA1
2bb8c83a3488d7d8c05332d481c1df3add39d92a

SHA256
0c04c03c969fc261eee4b97a1a5039f0dc5789f4bf646f81fe2cdced37d16956

SHA512
f6414ba1484c6a3b02d8aff39e61d4c1efb1bb81bbd57e9b360a678a0eab4567a5e95087accbd94d5be44b6570445efe273d200d7baf369fb3233d66e9fabdd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
fed272e1f3155675550bcc68fd4b4ddc

SHA1
d1452f30e84af149ddd944172fb7c622fe7ea5dc

SHA256
95c65b15be60726d1d8155517782f49a4ae02e7f4ec4565e12b4b78492e247a0

SHA512
a64d26366f3e4dfb90bc16421b2d7fb3592b937ec1b32a717d66c5cc8be6665f5130e513950447f924f150860be82081e2abe5fdb199c8454a598b0de54b5b48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e507363c67fd0888c67f96cc6c38138e

SHA1
f3617fc06776d9d313129d444cb10d92c37950ac

SHA256
46877a03bc0f187cfc4b347c6bb319afc06687f9ee78d660766e3b63688c121f

SHA512
6a9c388004f64aef821bec842637cd2b3ceb8e0de76f9be5396fb0bd375bf7c527a04fc345c2da01f2073672e3334d6e191307f85e4be6428908e3cf8dba7a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ed01dbce54cc01fe857b4cb210352be

SHA1
c977ceb09a2154df428a515eab0e8bb17ae4d407

SHA256
b1af69d179b2c97328ab797433598da84e9397996b6f55b624572c9597c58d24

SHA512
e6ada36ef3a93888af9fb61f1d019d62e3ee2272e821efbc3401d38ff99f90efabde037a00577bfc2a62b499d3221b4a171ddd6e29f062992ab6c1b2fbddadb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8b58616bf128697d712353493263d17

SHA1
f42366dafa0f156549be80dd32190f569b3cabb5

SHA256
dae61010ea4feeb6634c01ee3cc198fb217ce56146ed935f8407a44b1c2e3fbd

SHA512
b3da741e4cd333e8c5637d6577b5e451ed36e7ad6c0c90c89ef1d3822e1447ae925052021e321f27f8d5204319011d8cb9242203fa2d336edac24b3dc38a47c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8e44adb1d47c03e6b52bc78c706decdd

SHA1
87efe7e764439358d18b8358a18fcf24e8755af2

SHA256
f4642d8c7c463d850d3c805bc11739ffdb7ecb232b1161e04fca9524f747c9aa

SHA512
fe270d3d01c0e13b775e9e38d09a5c5da6d4241226f208626a68aaa573fbc6b479da40d27e59c68350ef201d87ccac70aa3d636aadd2ea0eaa0d050d7c34a21d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
030174ddd0602f776bd607dfc0e88524

SHA1
249205aaefb2d126b0539286365f0c9f9babfbb7

SHA256
a1ede87bb1f5625ded2c759252b8c59cb9fd2e7f4d3a0a0dd3125b661c3a2279

SHA512
445104b68fb8f14ec8da82712f0e84ed5ff4865de251e83a3fbdab9a515df2d395561882a950e0bcbd1eb1ae1c18d3dc27de4f19e029160e7761361fb857be46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
80631de9dea03b350e1d3ed7d3bbd9a0

SHA1
6900c88af6929070c9ee1bb4bad6d55ebc0c3acc

SHA256
43a7b478d2870e5e60e9ed364e84803c9603c11e6e6697ccd3661fe1246edda7

SHA512
ccd1a18a85c634f2ce846dd5ec9bbbb16b94421933f76a9227e2f90fb6951bad77ead69bc7b9cf43fe7a8977f653e42ab88b2c85811b4e5796e1f3c3fc1e3411

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
9951cd42da95656bdc7aa736985c4b66

SHA1
e5ca17827912f225407d74ecd6b1cc22dbe89b81

SHA256
d9d335dc06d74fc13322208af41b8626990f439194420b446b55241cf610a506

SHA512
2715dd5c3a463d44a9872a09fa1fbe88245db2e454e0c412ac9388d26289ab5ddf0ff0ac5a8c825aabffbec074fe5701b55fd17cea5aed52e1f11ce0d1bbc573

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\316029e3-4bcb-4e4c-a21a-8939e825d054

Filesize
671B

MD5
a67bb8382c0d83c288d6a749ce043cfd

SHA1
4b5d67ae1d1242e09738b25a3c005091f0a4d658

SHA256
0c0cafa5156ce6083d9224cf04fc0ea794a86bc438a8c6f6c31f505b912c6a34

SHA512
7e7b693fe7d294464f0ca00425e70cea05a0beb0cfaa57d0b5ee1c64be4865eee6b8938cf54b6ebd0f61ed5e22a07799c4e4f8af9ac23ade17482d9522e70e29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\6b537d29-2940-4b5b-b797-c1880dd874fe

Filesize
982B

MD5
cffeea51b32a9f7fa272faab19c9a025

SHA1
5f6dabe24d5aa388e48974a5bc5b5edd37692599

SHA256
5745d5794a277e5f50dbb05958ec4e5401bd0c852204f96d0370e967c9b794da

SHA512
bedbf19448377702f3f47a81a518bf5329ce26df8e726d480aeb8fbfdc9b5b12a65de9087a1f1c672962b6fd708279be56bbe31a7d0b73c713c24664fddd849b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\8b9e0412-d7cb-4b88-aa8b-aea9415d4990

Filesize
26KB

MD5
b54fec194f8b54a710cfe0c2d135e60d

SHA1
faf7186b01862f5205b25ba2ce2e7c9fa42f1550

SHA256
87deb1662dcdbdc222f2b80c469051092817f1996e56721973642880064cfba0

SHA512
acd0187e9b426dca33a05d394743263fd566cf0a5e1a750f37273a2cc324e6ebb02b29adee078c3bd59c398c359da844312615b495ffd498bd1f3e6f7ecbeb95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
d35fcab117aefcd2c9fd016cacce83cc

SHA1
0e9ec02848190d836adc430b497ac2c8cbdf82ef

SHA256
1a5a064096eab731783a69cb3e3a3a66131d83fff15a50509823ab2765c47366

SHA512
22ee01b07ece8c82bea546e48460feb63b408f835ac20222027ddefe312be856f003dce9e1d510cfb2742618e32115b9006d97bc86ec2297c79f406457b380dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
d8fd8f1795e64f4b18a3a618c969924a

SHA1
09d4ba342901cdda1c0e90e39d5ab3e7043d2082

SHA256
7802a58350454b065cbe3b99f7f26b8f7f4cde0ae69da64948868fa836cfb110

SHA512
e9533fd60f72ea15c326eaf8074231db330e9959613e883611f34195c42e1187a44ef07bad01b46f31a55d689b6ef712acd544ffa9929d9718d991afb4020f84

Download Submit