hxxps://www[.]autohotkey[.]com/

Resubmissions

25/09/2024, 20:18

240925-y3f6asyflc 3

25/09/2024, 20:15

240925-y1nglavhnp 8

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.autohotkey.com/

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2072	AutoHotkey_1.1.37.02_setup.exe
4048	AutoHotkey_1.1.37.02_setup.exe
5020	setup.exe
1212	setup.exe
4160	AutoHotkey_1.1.37.02_setup (1).exe
4780	setup.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoHotkey_1.1.37.02_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoHotkey_1.1.37.02_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoHotkey_1.1.37.02_setup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 637726.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 235823.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2324	msedge.exe
2324	msedge.exe
1808	msedge.exe
1808	msedge.exe
1300	identity_helper.exe
1300	identity_helper.exe
4432	msedge.exe
4432	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2072	AutoHotkey_1.1.37.02_setup.exe
4048	AutoHotkey_1.1.37.02_setup.exe
5020	setup.exe
1212	setup.exe
5020	setup.exe
5020	setup.exe
1212	setup.exe
1212	setup.exe
4160	AutoHotkey_1.1.37.02_setup (1).exe
4780	setup.exe
4780	setup.exe
4780	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 3884	1808	msedge.exe	81
PID 1808 wrote to memory of 3884	1808	msedge.exe	81
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2288	1808	msedge.exe	82
PID 1808 wrote to memory of 2324	1808	msedge.exe	83
PID 1808 wrote to memory of 2324	1808	msedge.exe	83
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84
PID 1808 wrote to memory of 2356	1808	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.autohotkey.com/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d744718
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Users\Admin\Downloads\AutoHotkey_1.1.37.02_setup.exe
  "C:\Users\Admin\Downloads\AutoHotkey_1.1.37.02_setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\7z8B963818\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7z8B963818\setup.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5020
- C:\Users\Admin\Downloads\AutoHotkey_1.1.37.02_setup.exe
  "C:\Users\Admin\Downloads\AutoHotkey_1.1.37.02_setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\7z8BFB3FD0\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7z8BFB3FD0\setup.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,14955497723484706943,11572052157972920182,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:3444
- C:\Users\Admin\Downloads\AutoHotkey_1.1.37.02_setup (1).exe
  "C:\Users\Admin\Downloads\AutoHotkey_1.1.37.02_setup (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\7z96BDE040\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7z96BDE040\setup.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
357419951a066336f35b66cc8a12d9b4

SHA1
e8ec410669ac49cea248ef362260f31b5e7f9659

SHA256
4965065daa75dc9f3375b19666e1d881d5fc95f86b70260de8fbf77b83962ea7

SHA512
1cdfac3fe3b69cb459593a89a8ca8a668d0fb5d3801f7f9cdf53608bd6b6bd1e88a8a349047fc5b25922f2a43a2b860d291046504484f0d262d7a78361cd466b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
759B

MD5
03d3e290124b387f1d0c062f57dfe2c0

SHA1
9a2e1e2617fe32f80c150a785285ce68341e1bd6

SHA256
ce531bbd9978dbc87a180d333527d974d476cd6e1b9a2f44caff35b3ef210909

SHA512
4d168283b39153558b1b502dbb0cedb265e47a03441b2f6662921b152e0c3fa1c9559e1f5d4c490f94e82746521541568c4687ad5f932fa5f4b2bf999243e404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f61c3ffb0de6e4714bda20c244888844

SHA1
d595f391af467df3c8caeec19fc885230874f9bf

SHA256
654d4993baf42f9067422a8c25205afb3c70c7d251a7b4cbf9a5d6c9081d7e8a

SHA512
61a84780cb78f2b60bd866ec278542c2a921a26c72603a23e88aeaa7e018a462434a894cda14eb5f469d77783025362a7a538a8409e5993a0ad26dbae94b1cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f37c47ed3267545691790c7efeb6906

SHA1
ae6f029f3d7396216246d0b2f3a3432fa177369b

SHA256
b5f1721d89a9067f659c593b9759f4156e1e75ddfd88ade656020bdf5a786bec

SHA512
64b21786db8e5cf78f4fb7b955fe135f12b716374b8ddbe121de6857c6e4cf9d9fceae72155a13e67678e2700c5ec171176d58edda89408948682cdcf7dec997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc5c98fc9adf6ad86cb1df51005eea2b

SHA1
ae266437dd9e01bd7ba60fba0ec2fb8b8994ec43

SHA256
075dd771472887e49dc9bda4644acba7b6e1be95b11e9277d424afc8520bbcf6

SHA512
280420bebabef279e2b1247181ee5810560de61ae5d6a46cb904b41405eccfa2878bf78c22e3f3da2d2271bd42c02218ddbe9268588d9c2cf4c403e05ef4d753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ecfaa3d0e2216eed27f033bc40135719

SHA1
6aa276a75679c138c1ea55f47fabb96e497bd5bf

SHA256
73b8e65412ecf7e01a56484e167a62df221a4fe9f743ff25adcbed09d786e84a

SHA512
f963c82729197a404270d8bed6f588d47457442ec632883fbc6c48c697c987bae57cf36592c7d588bf7db9221d5ca1754fd226f32188f4499c647407231b000c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z8B963818\setup.exe

Filesize
872KB

MD5
b98ee9e00b5546763f9c6e65e436f6e6

SHA1
a28e2b0ba6cc748d166b2eb6d0c8acb0bd3b9f3b

SHA256
6d876c526b5cbc5dc5341c1011b1c91639597f46677a1d42426f4a52dfea6756

SHA512
556e632fe39231622398c5afccc51d01f25bc430705a126737877ed9f354c7076b5bf3cbac27f8a1c4db4d326b6a8848fae4b8d6046f816597c370d06e824591

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\AutoHotkey.chm

Filesize
1.9MB

MD5
17d5e275dbc8278d888f7da1d681d7e3

SHA1
245cd35e6caa42fdd3936d2122c7464c877d6591

SHA256
de37a93068ca25701b3413eab0f01fa1646d2dab0346d78494192e95d94ad521

SHA512
041420c5fcba5d2fa5e2d549319948eb77b416cb32ce848218b2681f3bdb5a7ab50d795cfdabd068330f6a4f16812ae91564d654a958b0f0bb188d11890c4ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\AutoHotkeyA32.exe

Filesize
775KB

MD5
fd94b77958305a1ac3eeac27ee765256

SHA1
bdf7f5633cd529186c7c9c87c120a58c35515d2e

SHA256
6a98b438b67da7316e9251eb1a92cd5384a8349d239a77903f7282fa076a77c3

SHA512
1e97ddbe9374513ec9a1f51313efb3621f81a309bf78982688b4c19aa389f0b422a604d8adcd84dc1ba28f44135d30edde06e32705fe02762e92cf2bbc725a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\AutoHotkeyU32.exe

Filesize
893KB

MD5
b6af97aa32c636c3c4e87bb768a3ceb7

SHA1
83054af67df43ae70c7f8ac6e8a499d9c9dd82ec

SHA256
ba35b8b4346b79b8bb4f97360025cb6befaf501b03149a3b5fef8f07bdf265c7

SHA512
54d2e806503f8a4145ee1519fc5e93cef6bf352cf20042569466f6c402b0a402bce99066decd7729c415cd57da7a9923a1b65926b242672731fe2f9709cf6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\AutoHotkeyU64.exe

Filesize
1.3MB

MD5
2d0600fe2b1b3bdc45d833ca32a37fdb

SHA1
e9a7411bfef54050de3b485833556f84cabd6e41

SHA256
effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696

SHA512
9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\Compiler\ANSI 32-bit.bin

Filesize
704KB

MD5
31ed560d3edc5f1eea515c4358b90406

SHA1
36efc45f806ee021ef972dc80932f13f532d9ccd

SHA256
f5a5c05bf0fedcc451ade5676a5647e828a6f08cf6c21970e6c035f4311b5a3c

SHA512
cb410bad3297493b68e51677b920a808393a30096eefd1cb2c7cf07c8432c78658e803099841be8167eff3f42475b765992da7c11a31e39108ba49010b07ba6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\Compiler\Ahk2Exe.exe

Filesize
972KB

MD5
78515b1091f74c0f828aed92d3c972b0

SHA1
0103e030518db102631310ce4e2eb7673d7a1994

SHA256
754a28ed76a7b4eba7909b146cfc4c4c2aa43aff54e10a5cd6dbc939c0732b6a

SHA512
8edcfe6a59d56d69f0fb7672410fcb24fa0722a5d651f076a3b76a424140e162a213fb038c995ae9c2024929c88aa1fbd979694a485163c2d3f8ca3be75502a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\Compiler\Unicode 32-bit.bin

Filesize
822KB

MD5
db213c2dc5d0f542a1e925f09c021e05

SHA1
41bebccc1dd9c44c4407892daa3d3fe44c2216d7

SHA256
2d193510b56fbdb8530f8ded2f1c9fb982df971dca5fad1f24f558be16a4f804

SHA512
dd0977a599359f577c5a52d0f86092a12488f291613a0d4812fca64e0553c4d61501d5213e7afd1a62c62da8470e4453f8d1ea2bbea0be74ab223bd4b47e97cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\Compiler\Unicode 64-bit.bin

Filesize
1.2MB

MD5
30da2df436169d6f09732e61d8849a05

SHA1
25694362dfa391caf55733772ca61a95978d507c

SHA256
6e7c9ae1daabdb958a4d9c8e7297ba956c9504b5f76ce61fc31281f5bb0b0b55

SHA512
134b616b01a18f9451cbfd947d6dfcba21a31615a5cb513a29c6e5f77d8bb2776e868a215f7f533b1bac6a82536cd8838db7b1f69025735cbacf94afce158066

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\Installer.ahk

Filesize
65KB

MD5
015d8f0a9ba93e41f418b8db8bef6a10

SHA1
06d35e419dc82f91d123f129b88ff46511d1cf2b

SHA256
ef88ba74aef53793937ddfaaca4908772fbaf2e7c9bfb5fdeb3c0a6b95755cd0

SHA512
cd034768b35fdb96251563cb87cddbfa63c55bfb798aa8ec6fdd9faa6b0155d6b42bc30ace6fe9034aac45ba3abc434613df2cb0e07a4b1b0bf0ed8ebb2e71d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\Template.ahk

Filesize
324B

MD5
a85eeb1dc6f9a33897c407b4240dc20f

SHA1
be409c1ba630f2f11ab31e5f42c8a90ab49e8d8c

SHA256
23e5115a25e2d539057443b0f0e9740b9ae85d7de0da204f1d739c9b2e206058

SHA512
9ecaf71105745739d79207313bc837ecb9fe63cd1cb66e75808e615dc58f5d931f9744fbb04c74085a8cb03142ce43611af7763e8b21e4821a32a58b0d64f77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\WindowSpy.ahk

Filesize
5KB

MD5
32020e55548b1e9e7ce22899617d5cd2

SHA1
6aaeb5009dfae698449449e560feda2257187fd0

SHA256
4688629be394986c8dbe6517032429e6e8cdd9f5801ddb1ac1f53e6fe86eee7b

SHA512
12b5ec622a7f5d3b07d7db821002e4d7886095be0274509d721040812bcf01348daa6a6c9db485d6ac6b58f9684443db0a31963433a33cd3e8a3c7c2e3119475

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z96BDE040\license.txt

Filesize
17KB

MD5
e3f2ad7733f3166fe770e4dc00af6c45

SHA1
3d436ffdd69f7187b85e0cf8f075bd6154123623

SHA256
b27c1a7c92686e47f8740850ad24877a50be23fd3dbd44edee50ac1223135e38

SHA512
ed97318d7c5beb425cb70b3557a16729b316180492f6f2177b68f512ba029d5c762ad1085dd56fabe022b5008f33e9ba564d72f8381d05b2e7f0fa5ec1aecdf3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 637726.crdownload

Filesize
3.3MB

MD5
c2e8062052bb2b25d4951b78ba9a5e73

SHA1
947dbf6343d632fc622cc2920d0ad303c32fcc80

SHA256
49a48e879f7480238d2fe17520ac19afe83685aac0b886719f9e1eac818b75cc

SHA512
c9a5ea57842f69223bd32a9b9e4aaad44d422f56e362469299f56d8b34b5e8bbf2b51d4e64d2bebe6c95d6d8545a8a88e6107b9b0a813e469f613e1353aad7a4

Download Submit