njrat | hxxps://www[.]upload[.]ee/files/17016148/IHC__pass_-_1[.]zip[.]html

Analysis

max time kernel
305s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/17016148/IHC__pass_-_1.zip.html

Score

10^/10

njrat hacked credential_access discovery evasion persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

10cpanel.hackcrack.io:33982

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1876	netsh.exe

Uses browser remote debugging 2 TTPs 2 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1400	leakless.exe
3640	chrome.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SpynxService.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	IHC.exe

Executes dropped EXE 28 IoCs

pid	Process
5868	main.exe
6052	Setup.exe
5932	Setup.exe
5600	main .exe
5224	svchost.exe
1328	svchost.exe
3900	IHC.exe
4104	Setup.exe
2504	IHC .exe
692	svchost.exe
3856	explorer.exe
2032	explorer.exe
3448	explorer.exe
3680	explorer.exe
904	SpynxService.exe
1688	Setup.exe
2520	svchost.exe
4640	SpynxService .exe
1400	leakless.exe
3640	chrome.exe
5228	chrome.exe
5360	chrome.exe
3420	chrome.exe
1584	chrome.exe
324	main.exe
3924	Setup.exe
2208	main .exe
4568	svchost.exe

Loads dropped DLL 13 IoCs

pid	Process
3640	chrome.exe
5228	chrome.exe
5360	chrome.exe
3640	chrome.exe
3420	chrome.exe
1584	chrome.exe
3420	chrome.exe
1584	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
211	raw.githubusercontent.com
212	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5044	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{2DA230E3-FDA9-4523-88A4-7B51C6A4DB64}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	IHC .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	main .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	SpynxService .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SpynxService .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	main .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SpynxService .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	main .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	IHC .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	main .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	main .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	IHC .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	SpynxService .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	SpynxService .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SpynxService .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	SpynxService .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	IHC .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	main .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	SpynxService .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	main .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	IHC .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	SpynxService .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	SpynxService .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	SpynxService .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5"	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	IHC .exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	IHC .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	main .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	IHC .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	IHC .exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	main .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	main .exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	main .exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	IHC .exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 566994.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
1860	msedge.exe
1860	msedge.exe
3392	identity_helper.exe
3392	identity_helper.exe
5548	msedge.exe
5548	msedge.exe
6004	msedge.exe
6004	msedge.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe
2032	explorer.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3628	7zG.exe
Token: 35	3628	7zG.exe
Token: SeSecurityPrivilege	3628	7zG.exe
Token: SeSecurityPrivilege	3628	7zG.exe
Token: SeDebugPrivilege	1328	svchost.exe
Token: SeDebugPrivilege	5224	svchost.exe
Token: SeDebugPrivilege	692	svchost.exe
Token: SeDebugPrivilege	3856	explorer.exe
Token: SeDebugPrivilege	2032	explorer.exe
Token: SeTakeOwnershipPrivilege	3616	cmstp.exe
Token: SeDebugPrivilege	3448	explorer.exe
Token: 33	3448	explorer.exe
Token: SeIncBasePriorityPrivilege	3448	explorer.exe
Token: SeDebugPrivilege	2520	svchost.exe
Token: 33	3448	explorer.exe
Token: SeIncBasePriorityPrivilege	3448	explorer.exe
Token: 33	3448	explorer.exe
Token: SeIncBasePriorityPrivilege	3448	explorer.exe
Token: 33	3448	explorer.exe
Token: SeIncBasePriorityPrivilege	3448	explorer.exe
Token: 33	3448	explorer.exe
Token: SeIncBasePriorityPrivilege	3448	explorer.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: 33	3448	explorer.exe
Token: SeIncBasePriorityPrivilege	3448	explorer.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: 33	3448	explorer.exe
Token: SeIncBasePriorityPrivilege	3448	explorer.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2504	IHC .exe
2032	explorer.exe
2032	explorer.exe
3856	explorer.exe
3856	explorer.exe
4640	SpynxService .exe
2208	main .exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3916	1860	msedge.exe	83
PID 1860 wrote to memory of 3916	1860	msedge.exe	83
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4108	1860	msedge.exe	84
PID 1860 wrote to memory of 4472	1860	msedge.exe	85
PID 1860 wrote to memory of 4472	1860	msedge.exe	85
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86
PID 1860 wrote to memory of 4404	1860	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.upload.ee/files/17016148/IHC__pass_-_1.zip.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0xe4,0x7ffad86346f8,0x7ffad8634708,0x7ffad8634718
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7316 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,2790698275049585131,18366461105440826499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:1
  2⤵
  PID:5536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1876

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31094:88:7zEvent26268
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\Downloads\IHC\main.exe
"C:\Users\Admin\Downloads\IHC\main.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5868
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6052
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5224
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3856
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\y3g2bk2w.inf
        5⤵
        
        PID:2436
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1876
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5932
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2032
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\o5m4hw04.inf
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
- C:\Users\Admin\Downloads\IHC\main .exe
  "C:\Users\Admin\Downloads\IHC\main .exe"
  2⤵
  - Executes dropped EXE
  PID:5600
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:1008

C:\Users\Admin\Downloads\IHC\IHC.exe
"C:\Users\Admin\Downloads\IHC\IHC.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3900
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4104
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:692
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      PID:3680
- C:\Users\Admin\Downloads\IHC\IHC .exe
  "C:\Users\Admin\Downloads\IHC\IHC .exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2504
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:1856
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:3888
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:3236
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:4400
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:5880

C:\Users\Admin\Downloads\IHC\SpynxService.exe
"C:\Users\Admin\Downloads\IHC\SpynxService.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:904
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1688
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Users\Admin\Downloads\IHC\SpynxService .exe
  "C:\Users\Admin\Downloads\IHC\SpynxService .exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\leakless-0c3354cd58f0813bb5b34ddf3a7c16ed\leakless.exe
    C:\Users\Admin\AppData\Local\Temp\leakless-0c3354cd58f0813bb5b34ddf3a7c16ed\leakless.exe db2cded0fea201dbdffd46f777e34edf 127.0.0.1:55542 C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-default-apps --disable-dev-shm-usage --disable-features=site-per-process,TranslateUI --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --enable-automation --enable-features=NetworkService,NetworkServiceInProcess --force-color-profile=srgb --headless --metrics-recording-only --no-first-run --no-startup-window --remote-debugging-port=0 --use-mock-keychain --user-data-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\1a4eb28282f02d71
    3⤵
    - Uses browser remote debugging
    - Executes dropped EXE
    PID:1400
  - - C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe
      C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-default-apps --disable-dev-shm-usage --disable-features=site-per-process,TranslateUI --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --enable-automation --enable-features=NetworkService,NetworkServiceInProcess --force-color-profile=srgb --headless --metrics-recording-only --no-first-run --no-startup-window --remote-debugging-port=0 --use-mock-keychain --user-data-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\1a4eb28282f02d71
      4⤵
      Uses browser remote debugging
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3640
    - - C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe
        
        C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\1a4eb28282f02d71 /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler --monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\1a4eb28282f02d71 --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\rod\user-data\1a4eb28282f02d71\Crashpad --annotation=plat=Win64 --annotation=prod=Chromium --annotation=ver=114.0.5720.0-devel --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffae030dac0,0x7ffae030dad0,0x7ffae030dae0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5228
      - C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe
        
        C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\1a4eb28282f02d71 /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\rod\user-data\1a4eb28282f02d71\Crashpad --annotation=plat=Win64 --annotation=prod=Chromium --annotation=ver=114.0.5720.0-devel --initial-client-data=0x1e8,0x1ec,0x1f0,0x144,0x1f4,0x7ff6ff981e70,0x7ff6ff981e80,0x7ff6ff981e90
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5360
    - - C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe" --type=gpu-process --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --mojo-platform-channel-handle=1516 --field-trial-handle=1520,i,12078784195509809108,11402656836049265357,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=PaintHolding,TranslateUI,site-per-process /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3420
    - - C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\rod\browser\chromium-1131657\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1728 --field-trial-handle=1520,i,12078784195509809108,11402656836049265357,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=PaintHolding,TranslateUI,site-per-process /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1584
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /pid 3640
      4⤵
      Kills process with taskkill
      PID:5044
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:956
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:4080
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:4684
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:3172
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:1568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\IHC\IHC Development.log
1⤵
PID:2036

C:\Users\Admin\Downloads\IHC\main.exe
"C:\Users\Admin\Downloads\IHC\main.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:324
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3924
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4568
- C:\Users\Admin\Downloads\IHC\main .exe
  "C:\Users\Admin\Downloads\IHC\main .exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2208
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:1268
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:1212
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:2608
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:2456
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:1508
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:5452
- - C:\Windows\system32\cmd.exe
    cmd /c cls
    3⤵
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
79d206410500f74a6f755f82d514c459

SHA1
67782eff101d316ad1eb79ee76dc4095f5994db3

SHA256
697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

SHA512
72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log

Filesize
1KB

MD5
a8a147915e3a996fdbe10b3a3f1e1bb2

SHA1
abc564c1be468d57e700913e7b6cf8f62d421263

SHA256
8b96a8557deea66696837af011843d6a82451ba57c8f9b5a2726a70818d6fc7e

SHA512
17b42f17ef60a9f625703172763f692e5ed2ca93564a97853dfa72bb0ac6305ef3267aea0b205938e3aa8eac10156d9d4f322b30d0329d92d647bcec6372731c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
cafd74774ee92e32d33d986aa1d02887

SHA1
4eba3d811e150ea0e03193916820ceb1353d7d3a

SHA256
a9a2445fa2c7695be72695fb46f2d5fbb7106691d7840d454fac2b91ddd014b0

SHA512
27baef4953ca7ffd10dfc22d6ee2e6b961c1c08aa2a9813737afb4a265bfa9dfa56d577b20b0aefa84c157ab8fbc3fc4a7456c4e5093dd480f22c3fbdef30bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
8018e873ab570e28a36e7c46a551688e

SHA1
1dc2d619736d937c12e818f355ada3798a114bd8

SHA256
a93517822c3517a462709c150ba0381880b556f69a88e53f339df43b2a580545

SHA512
39e52e321f0e19af1c03abf8b7033870acb6d148e7f28573f49ba1ad4b4a8adbb861d1cc28739eeb56f44d3bb6f122f4e42bcc5ed348f3aa5aa37825cecafff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f1e508242fcbc72f1793c18be59b171b

SHA1
05b64cd009cedd6a83074b19a987be5f22164117

SHA256
4b6cb25bf0a968f0ec1a19ddbec59b4a403ffc200e3537af07e08149a0122487

SHA512
368beda8890cc6323cedd702eb58e5e8ee7b8d03058e10b896b8ba78c2226c0c161aae364ca27a15ee5946ae1f1b69ffb5a4529bf0a476ac8863ddf069935462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f74008f0af4c44c68c6bec8bfeacc183

SHA1
2312a53e20bf4cfe1f47cf272cea12655547978f

SHA256
1693b921213f1380563903eeba6e076f8fb8b68a4ecf2c1c94f0be529ec625dd

SHA512
2649a614f59e5c832222be357ac2842390b951ec69bc1bcc89e59f1845d1ff3153e9345b4a0b1deef903ca7457838d28c7c14e5c2f0f7e50ae63c65a7456e1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
afd12b48d81c0b91e7d55f10fb001eda

SHA1
45987c02f54fff9aa87af912adbb294b1570d542

SHA256
f0d8591d19a8d0eab6858291a0ecc55b555ddad3a09bfad1cb5d820f1d0d83a3

SHA512
9d1d4dc754440f75b750b6acc052811a07e4c0095177ec4cf0d5b0f3b90842f53d2c1c993671f273d5c8a2c07da7a07f468d9df17b1722c4028bf4ec4dacda63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b795de91993602b63b123c1316045376

SHA1
5eaf6a9bfe9acf7efadd2e960e9dc63c05c53cf7

SHA256
e9744bebf0ce09b049eb2e9ce1388239cd69ab056a32fb5a867a510f18ae29fb

SHA512
bf84a6979b4c0198c1b4cae1468aaa4cce8bf04c16c373315dbf4eb82ccf0d8007683e61102a906d938a66bb2081716bf7193a76025b4c67feb3e24aa6b482bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2638bb8ad15b7c260eaa92293d441998

SHA1
fc104733591fb3233a6f74b5b8fec33d01d4a463

SHA256
68dbff2ba09304516c0f263f89403ff4280bc697c74ea40c74b07be395ea2b5c

SHA512
bda7acdafc4a1039a1ba261aa8d34e9fd0bda7ba87b2b23dfac2b9c9618fe5ebbb71aae93573631e03310c1de533b2f6c54b1883e404a668d32e179d0ff9c3c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c00ff1b89978403b9191991b934be556

SHA1
1d37d5ad3f834d00e28d21eaaa0ad4e8e8c994d4

SHA256
55b98ecc5b99a96ba2b084546f4c1f34ea1ee6cafc82b16496a5f2ee7ccb84db

SHA512
0184784fe158f297644e1ea89f919a164408e78fd72fdd1b5838c49a7849ad8d82ed423eb808ca3ddb902dd2a85ab5ee22ebaf56eb35941364b2bf7e22b7eb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dcca8ad2801b5619590dacaabe0afeeb

SHA1
9d965f95dddb1d7847179917b29e26d481bc7c47

SHA256
0c1cff81d5308d7ae65865c7da48dcaa0ec32556194db1c22f68865b2b87e183

SHA512
227f2680a1e784f5f74ef888df9610378130ca6024239d034a81762f9d0a4d11829faf64187a3137f63e9df251b4ee6f272019ef22b41eb6fc0c0808cee36db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f2bc.TMP

Filesize
1KB

MD5
c5c53e1d8cbc94cd9d94afe7fcaa5ca8

SHA1
f5c70955c99f37e37ad7d7e3e523a69549c0927a

SHA256
a52569e743385678143063de73e4aa76fc6e91062092860c69fd1e83047d9ee7

SHA512
870751746b7a2d78d118efcebe7e2e37340ba1f98a9cd38ca66fc58501aabff79dfa28be796539cec8dbf459f27103b0d347584e8319d99b0660bbb287c89013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
940f596420bed215dde496007e3f1930

SHA1
2501ad0de5c19baffde4643ffab09f358d2219a4

SHA256
d7761e5b0f7fef227d5d21caad47b7cc9f2afad8543f1d94f4bc2281c46a52a5

SHA512
595ef8e2f2566f285902703fa02167098d271198bd02e224c922020abfb3ca147d651a81383cc54dbca8e48c57797194ac4550a031688d24e0061380fc62948c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
08d58a801fe2892ae91d373a65bc3d94

SHA1
d377e99edb1f672747aa4f6d8d2ce337e9e8a2d0

SHA256
f5135e241b141f8764dc931b940d5a55fd43b5fe819c43a8b8b29179078ba4ad

SHA512
5f535a9e687f8d368bf7f59eb25a734e9c69bfda8bfe9dc9259fd163f9122c6d7027c8de3c92ccd1401f1d19423f519aabe8ea05a0a3fbd74f7547630bb4d6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
449KB

MD5
914ec5019485543bb2ec8edcacd662a7

SHA1
2b0e0a2513383701690a22e7aebeaba44b2343cc

SHA256
2a95104de0f1dd12579c1068d0a789721f7655de59f84ed431f006b8bbe2d2a3

SHA512
705404fbc5bd94a61fb6ead690058da43500f14d0b56fcec4922506cbdc80aa74165d031ebc387a2ba0396b0347137e174ac6c0adef8e5b5b79ea0510646746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5m4hw04.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
357KB

MD5
0fbc4e35d1d6bfa0ef1c7b149091d40f

SHA1
d86775089c7dd3eae60edfaf916ac7766c6ddc64

SHA256
1768b679e543fd34322440b63e1b78f0eb3e9c7f58537f7c1b23c90de431af20

SHA512
5199ea32d88477aad0b6d8e0e4264677f48c9fa6fb3f899e98a294a53d7193a520f367a7aa8429b7ee51b524c6e5db4614d405c3806f6bdbe60cf74439670403

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

Filesize
463KB

MD5
5ea1964db2700f81e62bd29aeb322d5c

SHA1
e600e6655b8bf5f50b3ed22c0fb5f0f6fc02d319

SHA256
c849a54cbd91f0f108b97b6d176cbe906d54e3f4920a2bbedcc807050711b6f8

SHA512
0a7acaddda9090e07a533f114083beb2d425bff8237f43016e28f0b439867e8e5307cd4ff09c72223fc9974957c0b8e969f8969f6c5aab58b8d1440672e61ecf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

Filesize
694KB

MD5
81f30132f877f8eebc31a06776add4a9

SHA1
8b55e30a3a8bfac3aca674d566351a2e7ebed56d

SHA256
2e43f03aefdff30a74fe16d958f525f1b13d3c66536b82fe94690aecf61a7cf3

SHA512
4922c32f889b6e027db34bd62d4b598eca6bc6ae42eb6604a476971f5daf0d150509ba0518f56dde58a3c9eff437a11ea133fb89c4ca0a2f817bdcfd799b6157

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
307KB

MD5
1242c41211464efab297bfa6c374223e

SHA1
42d15b2d2f4b436e8064cb56639269934f7e2c5c

SHA256
9cb018a17bdf9cd70f7c16f31bcb3eaa5183eb3c2a26d6c59d5c65d3438cac75

SHA512
7730e0c4fdeaaf81af454cefb5509fd2bd28f2c889c69ec23ec47338283e32ff681ae6362e08182e52eaf0e95de641f31c8f0ca0f22419f05da58cdbcca25a18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
C:\Users\Admin\Downloads\IHC\Hotmail Inboxer_1735727172\bads.txt

Filesize
5KB

MD5
cdf66f824aed4eca79101a141295b280

SHA1
622d254be92a513784fdf591915a6b8a52661781

SHA256
12f79d23ce62ba3e54a5b98e569a1d827d01151382c07c21334d5e0d35622fa6

SHA512
d432544a302bf65382d5383b1b1815d68b3edac8fc34f7a61e6ab2a111fb028d5f253595129717794cf6d1e203f664e040618986773ce8db8abaa8b017dd8e8c

Download Submit
C:\Users\Admin\Downloads\IHC\IHC .exe

Filesize
11.5MB

MD5
563cbeceb23075f3889e51f995a59f12

SHA1
ae7aa3f654936cee7ebb51ec427fdb1029581d54

SHA256
8b154e690b2b3f0e46c13e569090cd3ad4c8fa43bb6a67cd949ef5d94344ed01

SHA512
bda309ddd05a155904c4d9bbd738dde90da71332bad79b3e708bf8475041cfb541480dedbaab2abc01c219227b0e5e68f4a648f3467975602b189b1a23b14f06

Download Submit
C:\Users\Admin\Downloads\IHC\IHC.exe

Filesize
12.0MB

MD5
5b6ff6dafde02e5185482865ad955146

SHA1
5f9987e2d1c7337342ec62c9f26e556759509919

SHA256
ae4961617d9b87a741e1874504900045b41b630156870cb04455d79f100366e5

SHA512
f2a1dcb6358c3363e92ae8eb132abb8b6e3acec22d5d1826a21afdd4bdf42adde832f37dcd739688ed9e78f6f7c5817bca47b31786f9e8f5f25d741a03fb825d

Download Submit
C:\Users\Admin\Downloads\IHC\SpynxService .exe

Filesize
21.4MB

MD5
30bca3c862157f7c3c3db7f7ce5d93fa

SHA1
ae6725f06b7e0f69ae133e74a90c6f20d6a6f941

SHA256
04ba1fbf8f72ae692e84a751e8606a2b81f7a051a9b536d3c6b2a5e291176684

SHA512
5b8d56ced64c0ebe1d3e4d190539a48ea081677500a7b2fe49fc576dc1fc06fb4337094d44ed7ac258adee0d66f723ee56cd4e5179282420742106de3e55465e

Download Submit
C:\Users\Admin\Downloads\IHC\SpynxService.exe

Filesize
21.9MB

MD5
328ee22aa1f35ee2893989884d4773eb

SHA1
a8bad059652df26e28dd54655fa41b4857f8bc39

SHA256
2e8fc47b9462ec17997c1b5b8aa5bf9d858105415e3e31520d713a857bcfcaa0

SHA512
e5cd01ed8beb54228fa4052b10371b9dac8f1ae65d8e74de78627e4398c161ee118da711f2a13ef8679496bd2b52c6b4c9c684df11463179a5791a01c4913de7

Download Submit
C:\Users\Admin\Downloads\IHC\main .exe

Filesize
9.1MB

MD5
83948d57a66d3c9cf66eb28998fca3a7

SHA1
623a44c3e16ae60ef12ed95d589fe891feecf32e

SHA256
88c5d4c75280b5e900e229db7526fb93edeec79264dce739c77d70369bbb1edb

SHA512
ebd2c8b1701472cb67ab2bd3170e986550f631889204157c452b046e9eb873cc0c2a86fa47a53bde3d632ee6961bfaf699d1a37696fc732903031097435081c1

Download Submit
C:\Users\Admin\Downloads\IHC\main.exe

Filesize
9.6MB

MD5
7e6146ecccb28d5863ba8f722d8ed7ae

SHA1
5e7bcb24df5fc1319197b106d63e3913276a2c08

SHA256
087121e959e6a0fb8f5a3e0c95ded350e84e09f3d776a98b6c9431026ba46779

SHA512
56d8d4ddfeb206cbae6befe90c0ddea55cfd091d35847967f6515525af89df58f289ff9ed1911fd1e0ce3fed847f3d87b8abda096aa177657e801ca4040bc5d9

Download Submit
C:\Users\Admin\Downloads\IHC__pass_-_1.zip

Filesize
22.8MB

MD5
f6fc54765b6f12d4ae7be9bd990d7e96

SHA1
b89f7230325eb786aa7c35732c983ad43f09f53f

SHA256
1337ff0d7b20ebfcc32e7fb5e88febbd9e170159352bd8e7fd7137b83c9a5dcc

SHA512
30b87bf78a9732ca34c6b5d63627df840fca17231716689656e6e0e59a32f7063c5a1a8d21616d6fa62e6396f1d371973ac216580600fe5d6d40eb5e2edec73d

Download Submit
C:\Users\Admin\Downloads\ed9f3187-7075-4560-8891-4529f706ff21.tmp

Filesize
9.1MB

MD5
4727b14dd947e5d08b843000c3edd39a

SHA1
8f1779a4fd3a7f92286745ec4af99d0993bc7e09

SHA256
8d56ea298e11dd53bb572a0b91b757affdee2ccd113985e473ee666a7b9f9d46

SHA512
d5763b91a41dd55b6558b7faffb474f420cda5f0692705f269fa49234d831595f99196532b08eee73172138699aaf407173dabc519964b563f337981fa285dfd

Download Submit
memory/904-483-0x0000000000140000-0x0000000001722000-memory.dmp

Filesize
21.9MB

Download
memory/1328-408-0x00000000000E0000-0x0000000000132000-memory.dmp

Filesize
328KB

Download
memory/2032-452-0x000000001BB70000-0x000000001BC16000-memory.dmp

Filesize
664KB

Download
memory/2032-458-0x000000001C1E0000-0x000000001C6AE000-memory.dmp

Filesize
4.8MB

Download
memory/2032-463-0x000000001B780000-0x000000001B81C000-memory.dmp

Filesize
624KB

Download
memory/2032-464-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/2032-465-0x00000000010E0000-0x00000000010EC000-memory.dmp

Filesize
48KB

Download
memory/3900-425-0x0000000000CB0000-0x00000000018AC000-memory.dmp

Filesize
12.0MB

Download
memory/5868-371-0x0000000000C60000-0x00000000015F8000-memory.dmp

Filesize
9.6MB

Download
memory/6052-386-0x0000000000BC0000-0x0000000000C36000-memory.dmp

Filesize
472KB

Download