54b51bf19ffce063577597534e1658d25e5756072366cceafec91af5d7382f4a

Analysis

max time kernel
104s
max time network
386s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-10-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

V1.5.6.+.V1.5.8.zip
Size

3.3MB
MD5

376d8646fccd79826d049751bc72ec81
SHA1

63b00bc8e21d97d3be49495a0511b7d38645b6b2
SHA256

54b51bf19ffce063577597534e1658d25e5756072366cceafec91af5d7382f4a
SHA512

b6bfee3294055bf0344430bba9d7ea82c55cb4aa6b84b437ad267a48f48f0f3465f47857a8c8748b42a3385eb783840cbd968395ac860b31a2005986b147cf77
SSDEEP

98304:4irm4peYUuEpjoaua/Iu9ugQ4uPlUST1laev2j:4L48iEWCj3uNbld2j

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	camo.githubusercontent.com
44	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	SecHex-GUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SecHex-GUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\V1.5.6.+.V1.5.8.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
3612	msedge.exe
3612	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe
3720	msedge.exe
3720	msedge.exe
4584	msedge.exe
4584	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
3612	msedge.exe
3612	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe
3720	msedge.exe
3720	msedge.exe
4584	msedge.exe
4584	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
3612	msedge.exe
3612	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe
3720	msedge.exe
3720	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 42 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
860	SecHex-GUI.exe
860	SecHex-GUI.exe
860	SecHex-GUI.exe
860	SecHex-GUI.exe
860	SecHex-GUI.exe
860	SecHex-GUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1356	1388	msedge.exe	84
PID 1388 wrote to memory of 1356	1388	msedge.exe	84
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 1968	1388	msedge.exe	85
PID 1388 wrote to memory of 4584	1388	msedge.exe	86
PID 1388 wrote to memory of 4584	1388	msedge.exe	86
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87
PID 1388 wrote to memory of 1440	1388	msedge.exe	87

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\V1.5.6.+.V1.5.8.zip
1⤵
PID:1044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa61f3cb8,0x7ffaa61f3cc8,0x7ffaa61f3cd8
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,15823255063318634237,1782083023022069630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4112

C:\Users\Admin\Downloads\V1.5.6.+.V1.5.8\V1.5.6 + V1.5.8\SecHex-Spoofy V1.5.6\SecHex-GUI.exe
"C:\Users\Admin\Downloads\V1.5.6.+.V1.5.8\V1.5.6 + V1.5.8\SecHex-Spoofy V1.5.6\SecHex-GUI.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:860
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" interface set interface "Ethernet" disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d9e20067f88b06590d1308f574377c66

SHA1
bf76d8ddc83caabdd269785a062689e4070ce815

SHA256
3a818bd2fbb8656b85cb7177a4e8f8a478dc8f313e50e8552106d9852593b819

SHA512
eec02b3f2a066fbac2d0b6d0b3b8b1f68cef4e6388b1908b88680c904e3e8563505cbb9d4258db324455d1ce03e832a4a128de52130bbfa2f0d199f42d53549e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
888B

MD5
1bc92e3c89f2a1277448cf54d451edee

SHA1
286b38c61f70d7b6d5a1c1e0cbae7d52cb76b616

SHA256
f2450efd807c57276d6029b700464739c799d61c908971ce2863cae0b1cce2d3

SHA512
e58c30e6c88e952e3798e7d25f9d08e2e45b73e7722aa32fed89478598dca08ec1b180069edbc20c48c691eef34c2ff02820a189c29445b63ef51d622f677397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20232e205b2fa22ff61b8fb5399cd80f

SHA1
e33f67e46357416aba6cd9cf5750eb28b73e7a8b

SHA256
57532d3ec9cb2f1074e76bf4768acea0089ee3b98b7102650912977913d2839d

SHA512
33886aa8638e5b241fe4ab426b53678dba9a89bf72f191bf63fccfd37e897db4648426769d125c55839e7aa44d97098e694dc36f3a21813a2e4c0c2269122ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
559178dc98e4ab4443498ad12739f957

SHA1
3cd85d2ae70d6a3053bd4f60fb39fdaa617834d5

SHA256
54a135738db527b1b4367db664cfbe74f3ec31c79fe50ab930425e316de49718

SHA512
8665b2ca9ae56d1d80ca1e7f3a30cb6335cb29d03965ab0c6d41611a4728c7441858217cdef1a4e8a4e16d114cfa2f3ca30fbc518b75a0f0fe62e0824436b01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff9df1074522763ef2a0393d874cb826

SHA1
a0386cdba8351fc7dec874892f9a3a815321650a

SHA256
94f789792ea60f3d7f02e00f54e0e6a4dbde716da9a57f16c93440d104509fca

SHA512
b418c125fcbe551e290fda327525b9a16266a44062b94aa9e0c212a156f9d202d15b6d2b3103724f5c94d10c5e67a3bc874df627648c0a21bf8a688e7453facd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4288f0f6cb9fdd5fdcf12034d2516b9

SHA1
9c65be3590e0ca3a364c781f8255c7412a050b57

SHA256
5aa6fa13263c64c170225ed7682af689a7efecdb759e4d1f87f5c25caf023a35

SHA512
dc0e96bcf999177750dd4d7fc8398f4177939403a6e1d1be3921467019f311183cf3d5b59ab72ddfc6a2ab46334673d3273efc5cd483e5d427ac2a0f32a01fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586925.TMP

Filesize
1KB

MD5
7da513322a48057c9174b924ab406d98

SHA1
b1e526805a2291a8904d3db151cf48f52298d68b

SHA256
339e7f22a82b850dcece13bb200284bb3507a2628069d29d3d61813c0a5c5357

SHA512
b9d9657ddfa4dbe0e9cee224cefdb9860edc26863b8899f5947a554c5a3af2f9b138e47ce9bad416b10ded574ae9e7097e4aff975a409a1649c4f8c2ea9c7e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f91ee949c8af0042848e5b95d0f456c

SHA1
3f2fe4766b1ecae138d3f0947724e4e528357fcf

SHA256
b04dcd43e74c957a90ffdbf3508c04d337a859a34ed1647ef365d8ed83a1531e

SHA512
81c174b028b77ec88de57c540dca42e1fa40751af25b6964f166d413ca7f92838ff233a18afafd36f795d906823a845f5b26b4f4d8a1ef740488c90331399654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aca943b46221343b3900cfd82546fd36

SHA1
64af587a17a20960a7e15399908e9c81613e9365

SHA256
c3a637f753d50e3065adddf2aa6bc4cd8b9caaced245dec5b7b1d55d0a4d82f7

SHA512
78f0b59b0c955e3a94ec1f5299cd17ea16a1cc53284081aedcce2d0c8987674026e32ff67b5ca246eb601ade6c2d40bd8c7176c6154d2cb7057c6426ddd04e3a

Download Submit
C:\Users\Admin\Downloads\V1.5.6.+.V1.5.8.zip

Filesize
3.3MB

MD5
376d8646fccd79826d049751bc72ec81

SHA1
63b00bc8e21d97d3be49495a0511b7d38645b6b2

SHA256
54b51bf19ffce063577597534e1658d25e5756072366cceafec91af5d7382f4a

SHA512
b6bfee3294055bf0344430bba9d7ea82c55cb4aa6b84b437ad267a48f48f0f3465f47857a8c8748b42a3385eb783840cbd968395ac860b31a2005986b147cf77

Download Submit
C:\Users\Admin\Downloads\V1.5.6.+.V1.5.8\V1.5.6 + V1.5.8\SecHex-Spoofy V1.5.6\Logs\2024-10-02_01-34-17.txt

Filesize
596B

MD5
60761c11d6a6c41562dbd6e6be072d1a

SHA1
cb842e5f4d4cdae2961bf4f6c3293000c5420d8b

SHA256
d046e05eaa4e615b7f481a0584d0ff27e970f93ea8f8f2d605012048a564a937

SHA512
6ae1d0cf8b10752efa7d9aed5550274d93af48a9602eb1fef3aeb1a82091598912b2bcf3c40069ed77974ece3f1918c42657a0767c4136e013cdc800240a97c2

Download Submit