njrat | hxxps://www[.]upload[.]ee/files/17631111/Kox_Spoofer__LEAKED_[.]rar[.]html

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/17631111/Kox_Spoofer__LEAKED_.rar.html

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

147.185.221.24:50768

Mutex

543f49bacff49231d84b60f449c28484

Attributes

reg_key
543f49bacff49231d84b60f449c28484
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4696	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SpooferByKox.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\543f49bacff49231d84b60f449c28484.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\543f49bacff49231d84b60f449c28484.exe	server.exe

Executes dropped EXE 2 IoCs

pid	Process
5536	SpooferByKox.exe
5984	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\543f49bacff49231d84b60f449c28484 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\543f49bacff49231d84b60f449c28484 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpooferByKox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 405459.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
3428	msedge.exe
3428	msedge.exe
1720	identity_helper.exe
1720	identity_helper.exe
6036	msedge.exe
6036	msedge.exe
5428	msedge.exe
5428	msedge.exe
5428	msedge.exe
5428	msedge.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeRestorePrivilege	1428	7zG.exe
Token: 35	1428	7zG.exe
Token: SeSecurityPrivilege	1428	7zG.exe
Token: SeSecurityPrivilege	1428	7zG.exe
Token: SeDebugPrivilege	5984	server.exe
Token: 33	5984	server.exe
Token: SeIncBasePriorityPrivilege	5984	server.exe
Token: 33	5984	server.exe
Token: SeIncBasePriorityPrivilege	5984	server.exe
Token: 33	5984	server.exe
Token: SeIncBasePriorityPrivilege	5984	server.exe
Token: 33	5984	server.exe
Token: SeIncBasePriorityPrivilege	5984	server.exe
Token: 33	5984	server.exe
Token: SeIncBasePriorityPrivilege	5984	server.exe
Token: SeDebugPrivilege	1996	taskmgr.exe
Token: SeSystemProfilePrivilege	1996	taskmgr.exe
Token: SeCreateGlobalPrivilege	1996	taskmgr.exe
Token: 33	5984	server.exe
Token: SeIncBasePriorityPrivilege	5984	server.exe
Token: 33	5984	server.exe
Token: SeIncBasePriorityPrivilege	5984	server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
1428	7zG.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 3052	3428	msedge.exe	84
PID 3428 wrote to memory of 3052	3428	msedge.exe	84
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 4476	3428	msedge.exe	85
PID 3428 wrote to memory of 1952	3428	msedge.exe	86
PID 3428 wrote to memory of 1952	3428	msedge.exe	86
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87
PID 3428 wrote to memory of 872	3428	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.upload.ee/files/17631111/Kox_Spoofer__LEAKED_.rar.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe67f346f8,0x7ffe67f34708,0x7ffe67f34718
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9906067029174749623,7361697204349575647,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3136 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Kox_Spoofer__LEAKED_\" -spe -an -ai#7zMap32595:102:7zEvent24543
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1428

C:\Users\Admin\Downloads\Kox_Spoofer__LEAKED_\Spoofer\SpooferByKox.exe
"C:\Users\Admin\Downloads\Kox_Spoofer__LEAKED_\Spoofer\SpooferByKox.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5536
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5984
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4696

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
d1b73341cbf67875dd5d08ec6ed44dd6

SHA1
bd08d6f45cc174a6695bc4adc461521ada3fbfb0

SHA256
1e97861bd2f97fb5e5c73b37fd49adab1088d00c9060ae4e691b67693ce638fb

SHA512
c4987267ab31fd97be4cd08b9e4c9d746433ab431eab0fb0f1c1bfdd6cbcf9759a9a815b943cf673945f13c55ad0ab95f1f9df325ea6b19908a83646e2c76c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
56b63f54faea3e7764fa4b4d931c59ae

SHA1
5b3bffc9b029b1d43b88d07b1dfdb2a08df75d94

SHA256
d0dbff33f9526b7d80d4b0e8fe7e9fbb67bd16a32cfdff66655cf41c25e4e65d

SHA512
6222af31b07a732fcf041b97df032ca13bab7dc67508c3a44d4bc63495a024ed9500945c54d5c6e5951e0585803aea8c6f8bc5a616740be6b2004e85496c4b6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1f8b4b34cc0a3674cb47a808b18051af

SHA1
0412e8b940c3665bad2febb699925cdd40f89367

SHA256
66acc566f537030b2c615022fa2ffedbe3b5288233501bd89d5043e1c4c0c570

SHA512
b4313ca9e103bd26fc53fd02a717387bb7486bfaa9e387d0c781cd0ea501e93d56afa87ced5bb8289cba87c2cde83d6e7ecc0c585e42eac0cbfa81492fb0b6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a1af0a722c8499f9796da147e4b4983a

SHA1
51fba8520e9f52ae2bb0214babd2ddbf16d227d6

SHA256
f8087a66923c2e747d11c7e8db17a640777d726e7999abffa8aac1a3309ad9f9

SHA512
f4c02746d2020339720f3b09b66c2e4bfb880c15ff96072ca8c1177cf6680b4589bcd519fdfee587db18d93de6f5308f93f9ce7e09575d13e9b08b4762b32086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4a21e9a8ef854221c7cd434ce180707e

SHA1
cd0938405fae385a78af3d443b9a399927e5eb42

SHA256
74818ef851df7633670ca87e1fe6bea90edd24980bdacd9f1f78f8dc0b123495

SHA512
65fed0685e15cd06ba8fecd7896194225581a1d093118915d94ece63a98f786f63022b66219d5c6e38bebcf1dbd35f82f311c56e8cd9e974a5f9f4a2468eb5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
263de565dea1d421098f4a232fe076f3

SHA1
192186caa4837f89e9558e063f352b09a99628ae

SHA256
244f965923da580ec80cd8315cd57916e446d1962b4069734982dff6a6f644fc

SHA512
477a514d08a3144685772ff23601c0adde193fb99627a73c1db081d3580d2fab40bd4624bd482a9d44b6dd2683e44e3c3a29baaf080f979c803bd7e92386fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0334c371a7cc196922f6a2f6c133019d

SHA1
7cb907b44adb98bf6bd13d5bff8ba75c6447abb3

SHA256
d30ec35e71ab7aade95dda522c6bb1d9b3ac6d90f66cb46674fc208f7bdf4418

SHA512
5b375ee38a928f216e40c6577d5f0bb7299caa9ad8b28471aa916367da0ea52522567d65592c5b22adc62ea2e3123d67f3f680612318be20010924dd1270f2c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
281976dfff920ae1c56b322856bcbbb4

SHA1
afa39a74ab64d0c8624ffbf9d552acfd3180f0de

SHA256
72897c275d88cde2984e2340cd36f796d718cf0add6438d5d911a9c3210f379b

SHA512
9b118d2e75565365268e50784267a1d21f2b910de7c6857e45a5d5b6efbad6f5b9b0cc1650b8b19df3fa56e6baedb84b92ce8febd8abca566da8b2677aea098f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ef71.TMP

Filesize
873B

MD5
7f30611e1041e1ab6163039fcec3edaf

SHA1
9ceff311bac9e6de3d93f119ac79e3b1bbf39a51

SHA256
8858e282ce96bdc2f636f44257e1c98657f3d4ab8645a139a2f750d35eea6110

SHA512
12f5f193eb47c25216c2b1dc50b47c92cdf68057d43ec4f449fa3d3a020cbd982f9bd612eca5bd539339272f2f3476177e5958e33c4b39e02062b06b3b57b774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a11a3e8d7bbb75be354c19966f34730e

SHA1
d766879712b9106bbabe2e4298b2e711ffa13d7d

SHA256
905e164ed50e01c6e046e9517dc8453b53e0a06cadc8c014095ee09ae8816723

SHA512
eaf20ee45e21fb82e493f26d7856d3f8854f4bd2d6899f2832f7bb6fc8bbb7a292cd27b9ff55b1de1a3d40880e0f85f3fe133684fad199750b8be18d1745d5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e6ce16e3e50309c99dfad1b9d50f4d51

SHA1
71f0b7f72d269f74ee5eac2b9126aad2f1c60dad

SHA256
b439c1fb317581bdc3a68608aca131ce1faf283ce5be0f42778c98ef82cc0af8

SHA512
91d17b275236b87327bedc3484abce603ec356443337aba7a1fff16fe5929f87fadb72b3b3bf2bf0dfb31537f9c87fef36151576b2cb344c1094942a8e41ed52

Download Submit
C:\Users\Admin\Downloads\Kox_Spoofer__LEAKED_.rar

Filesize
16.4MB

MD5
c1e94f18558db65b1206a9d279caee5b

SHA1
68738ddcce8d150bf4ef6eb9260a8b6f516d59d3

SHA256
cd2fdd55b920a87b56eaca6f8b1b78db347a4b4b42a1e67a0f0c4d1e09c19c06

SHA512
46e1afd74350b8af6cd09c03dc1566444e4d475f1c72ce5764ebd83fbbce7f05b89b77c7f734a286ceda16cd1eaa36ef355b8152587152be19808613386add1e

Download Submit
C:\Users\Admin\Downloads\Kox_Spoofer__LEAKED_\Spoofer\SpooferByKox.exe

Filesize
37KB

MD5
8cd29796f726b13449bcb6add0978d91

SHA1
58bac53109e20c8823ae6e0badf295064de1b2ed

SHA256
17e23b6b16ac79160e2627851c2f2964ccc0d1eb20997d4ab80ac330f1cb43e1

SHA512
d8b929ed61e26ca67f2d742e3b4c0f84555c17f2143e62000bef99a676a00095f54d48633cefd9c2dc890dfff2a0ee7c0fa94a9fb44ecc8abd40a63ee894e3df

Download Submit
memory/1996-281-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-282-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-283-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-287-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-289-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-293-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-292-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-291-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-290-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download
memory/1996-288-0x0000021837EE0000-0x0000021837EE1000-memory.dmp

Filesize
4KB

Download