Resubmissions
14-11-2024 08:15
241114-j5mcrswerj 714-11-2024 07:56
241114-js3h8awelk 814-11-2024 07:48
241114-jnh9sazjhl 6Analysis
-
max time kernel
115s -
max time network
448s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-11-2024 07:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ytzp7vuu92w1j.blob.core.windows.net/ua0mskevqzgo84btqr0e/5HVFVzz1XInohuCeVgsT.html
Resource
win11-20241007-en
General
-
Target
https://ytzp7vuu92w1j.blob.core.windows.net/ua0mskevqzgo84btqr0e/5HVFVzz1XInohuCeVgsT.html
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
SubZero Spoofer.exemsedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SubZero Spoofer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral SubZero Spoofer.exe -
Modifies registry class 5 IoCs
Processes:
msedge.exeBackgroundTransferHost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Release.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid Process 4780 msedge.exe 4780 msedge.exe 1192 msedge.exe 1192 msedge.exe 2592 msedge.exe 2592 msedge.exe 4984 identity_helper.exe 4984 identity_helper.exe 656 msedge.exe 656 msedge.exe 4780 msedge.exe 4780 msedge.exe 1192 msedge.exe 1192 msedge.exe 2592 msedge.exe 2592 msedge.exe 4984 identity_helper.exe 4984 identity_helper.exe 656 msedge.exe 656 msedge.exe 4780 msedge.exe 4780 msedge.exe 1192 msedge.exe 1192 msedge.exe 2592 msedge.exe 2592 msedge.exe 4984 identity_helper.exe 4984 identity_helper.exe 656 msedge.exe 656 msedge.exe 4780 msedge.exe 4780 msedge.exe 1192 msedge.exe 1192 msedge.exe 2592 msedge.exe 2592 msedge.exe 4984 identity_helper.exe 4984 identity_helper.exe 656 msedge.exe 656 msedge.exe 4780 msedge.exe 4780 msedge.exe 1192 msedge.exe 1192 msedge.exe 2592 msedge.exe 2592 msedge.exe 4984 identity_helper.exe 4984 identity_helper.exe 656 msedge.exe 656 msedge.exe 4780 msedge.exe 4780 msedge.exe 1192 msedge.exe 1192 msedge.exe 2592 msedge.exe 2592 msedge.exe 4984 identity_helper.exe 4984 identity_helper.exe 656 msedge.exe 656 msedge.exe 4780 msedge.exe 4780 msedge.exe 1192 msedge.exe 1192 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
Processes:
msedge.exepid Process 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid Process 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exepid Process 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
SubZero Spoofer.exepid Process 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe 1500 SubZero Spoofer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1192 wrote to memory of 2344 1192 msedge.exe 80 PID 1192 wrote to memory of 2344 1192 msedge.exe 80 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 2608 1192 msedge.exe 81 PID 1192 wrote to memory of 4780 1192 msedge.exe 82 PID 1192 wrote to memory of 4780 1192 msedge.exe 82 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83 PID 1192 wrote to memory of 3288 1192 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ytzp7vuu92w1j.blob.core.windows.net/ua0mskevqzgo84btqr0e/5HVFVzz1XInohuCeVgsT.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff857b3cb8,0x7fff857b3cc8,0x7fff857b3cd82⤵PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:2776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:1284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,10150373861102808602,6615819343075579618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:656
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4480
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3296
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4216
-
C:\Users\Admin\Desktop\SubZero Spoofer.exe"C:\Users\Admin\Desktop\SubZero Spoofer.exe"1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1500 -
C:\Windows\SYSTEM32\netsh.exe"netsh" interface set interface "Ethernet" disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1964
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:4804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:4468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53d68c7edc2a288ee58e6629398bb9f7c
SHA16c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA5120eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f
-
Filesize
152B
MD5c03d23a8155753f5a936bd7195e475bc
SHA1cdf47f410a3ec000e84be83a3216b54331679d63
SHA2566f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA5126ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5106366c23e6456d2b8b19456f3742003
SHA16ec610298e029f3004b805fecc92ca7660ea0a58
SHA2568de0b6afabf6f0b1d06556b11ec656753b6c1fd9f754156f16d29639d553fec7
SHA5122405764aa79219177e34f841fc3a319f73efec6e29e647504de42d8927dd0eb631aa2c2f7197855b15bb7ecdf99736cbbf83458b27d4d94ba850d2343db511b1
-
Filesize
857B
MD5fdd0de92e3867eeeeb67b0cdb54b3df1
SHA1d92c7d499d2c8cd86e0c88ceb80406830856e1ea
SHA256a7c1518719f20bd3b7b956bb4daa5bddfcc4e120d98a27ab6a9f0f762d15f933
SHA5124f210a1d4b1fa2e9b902e8314b5ce54c52e736d464936e595c5a939a7fece635bccedde4a591dea2f775bdfa4bfcd0f5ce80bb53bf94dfcb820bd9ae07cdd59a
-
Filesize
5KB
MD56cd5a09e78a7e74d40b192af06e7648d
SHA128a55ae14262adbe6c1c9d2441597561c9c58be2
SHA256d42b56011fec993a6bdde0b742ad937c2d141522508f3948fd73b2257f76fe03
SHA512b989677ad7d5d1cad828ea13c6aba3a434aacb514e8000d51ee77d243e71fff0d8be51b98277ae82451e401368073a6734bf50c46ccb633e46446b67afa8cf22
-
Filesize
7KB
MD583bbb5a9973d959550661f274af38c15
SHA1eb40361cd6fe1bfc26124f6dcf38a74e27c351f1
SHA256e5491303305167496a3724f5cc193d499bb97cb4494114ed1d59dc6aa610f52b
SHA512aae2dd6ce29eeeb7e7da56e444934bb95a2df8507a86c5f3e5799bb25dc825aa5a515f1459fae0787833441946536dad7cd112c08de6c7b7d956b8d191152b14
-
Filesize
6KB
MD5ac0560a019de1d1a3eff4d36b8f41868
SHA1f1b9fa91f17618f812719c1aeb2e79057b48b356
SHA256e63f3099a3aa820e661add5c385fd74beea6275904a8f0b93d6067d280e4afdf
SHA51279759150ff55bd9a9b6313160c48b36292a7fe9dce0f55ea403bee83a9c50631e5fa8c3e7eb109486c1f84a73e709417f958e7f8a7862275cc5bcd63ce4750b3
-
Filesize
6KB
MD523dc72a6fb972ea1de96c20442d74be4
SHA126924f00e3c2cf36657c15d06c2261d2528efa2d
SHA2568712c65b92d54926e2454e622b7d612608afb641566210cca6bbc84947be9b58
SHA51241803545165d4eaa6c050bc97071a1fcb9efb1a5bcb0c3477500fc187b7926566528db8ee062b49809120d8f1cfc65159968b0bd9cdff100293be79ff1b57e41
-
Filesize
1KB
MD5e41bce66a8f8dd160f1fddead74f7a57
SHA16a5a7cd4db93a92be92b38a8f31fb2630be953cb
SHA256df6b02c8c72d75564439abedd99d8a7bad6548b362598d9e5b5700d42278abf7
SHA51277f6709707172aa92e34be38a2e7b2071cb13ee62601e4033f1e364dabec77370d8d7733f035505517d7f88ff4c6e47e95c21eedee75b871343b794047f3dee0
-
Filesize
1KB
MD5c38953f8a405f45ba441a2bfa2859c10
SHA1a6f9668cb88c3bc8c8e22f57a3d03b27bf55e765
SHA256aa1dbbd14a058fb34aae3e02b9dd8df595a5e46728951bf054a163b907b67d5b
SHA51259db622af122a7ea512fb357fe6c27066b25dd9aacf7a1d1222d7141a80c778efa1820d1a8a4f85c8fe5df8f355a019d985deebd2afd68b828d0e1a58169ef7a
-
Filesize
1KB
MD5846edab1a82d15299328656e5239eb31
SHA1566bb619309fdfe1c521f291168f086c3845746c
SHA2561c7b94ffbc22575c2256c79a644bb98360d9fc75c6850d2e8f67aa020d21ce86
SHA5124117f99795974d1d8385aad9b17aea0bf7ee0ef5811b18c6e9f0e1bd89ef339a5de63195725f32683ca8f94ce1f93aa9e8950cdcce8407444de2fc03aa495019
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e18bb2785c05bcb7677e1ed1443a585c
SHA1e881534078e656c0f8ee808992a8789dc83590b3
SHA2560342413175f37a53850acf3f39e1dd02a1e74541003a44a19d4e86c28927a6cb
SHA512d0298efb637646f4af755f9eae294f66e7f17cca94d59b738aa9733aeb4cb8a7e281a67285d2228262a491d7afa50472516cee37ad3ca0e4e7ae102ba8ed8d9b
-
Filesize
10KB
MD52d94468b1e10440d010bfa5a7a188f9b
SHA17406da9fecd715e9ff5a9ce6240f05cbf4ef4188
SHA2564d4ae29e5e48ad6f09643ded68832c5bbed5ff770d678471373549ddd1addc2e
SHA51292db14511a9cc7a23d0a74bcc23c7123dfe085422f26a7a859d4031cd5035c69f5bc37dd89c56b3c60147c4241419e95ca2cd3535e2653bbcb2a65dc1493c0bb
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\cfc549c2-f5e3-4671-977e-f07873eabcba.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
1.8MB
MD514b397954778c4eb62515af3377a964a
SHA108036d759d45c293dd19f1b6ac246d8a9dbcabd9
SHA2568daca3ebcb615c264eb7542a7c92779cdac524911afd85916aef28d68eff5618
SHA5125037ad0cc79dfbddd177eb8b4f425af311d8d3778bbb98102e829281f7e7890ef2ebce3c9d9e7b527a1c1b790e423bde0eaff66957c758b602cff1bd8fa38e1f
-
Filesize
104B
MD55a43f201c9038ad5d6cb60e340ffe878
SHA148f5d4c0f3d08a76282b6567ee0f12c9e93d995c
SHA25677bd598e8489ee1b2bd3fe372e2999cf580c8f59604ae4e952065415be9a96a6
SHA5122b7bc44018f414cab05bc74dd281bbfdbaaf30f6e044de098c58fc57adfd4023543bbbca4d65ba37c010bcca7d41494bbd9b3568f6bec2f49444a5c375f2cd07
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e