darkcomet | hxxps://github[.]com/kheiron1337/icraat

Analysis

max time kernel
103s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kheiron1337/icraat

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

80.208.221.140:3048

Mutex

DC_MUTEX-7SW877C

Attributes

gencode
iX3UiRGJM1JW
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Downloads MZ/PE file

Executes dropped EXE 23 IoCs

Processes:

installer.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exeinstaller.exe

pid	process
1544	installer.exe
2800	installer.exe
4668	installer.exe
1688	installer.exe
3956	installer.exe
2448	installer.exe
2284	installer.exe
692	installer.exe
2724	installer.exe
2508	installer.exe
772	installer.exe
3364	installer.exe
2280	installer.exe
2444	installer.exe
1040	installer.exe
1292	installer.exe
2776	installer.exe
1564	installer.exe
736	installer.exe
684	installer.exe
4884	installer.exe
4860	installer.exe
3852	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

83 raw.githubusercontent.com
84 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
83	raw.githubusercontent.com
84	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 926845.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

4004 msedge.exe
4004 msedge.exe
2136 msedge.exe
2136 msedge.exe
3068 identity_helper.exe
3068 identity_helper.exe
3532 msedge.exe
3532 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe
2136 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 926845.crdownload:SmartScreen	msedge.exe

pid	process
4004	msedge.exe
4004	msedge.exe
2136	msedge.exe
2136	msedge.exe
3068	identity_helper.exe
3068	identity_helper.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

installer.exeinstaller.exeinstaller.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2800	installer.exe
Token: SeIncreaseQuotaPrivilege	1544	installer.exe
Token: SeSecurityPrivilege	1544	installer.exe
Token: SeSecurityPrivilege	2800	installer.exe
Token: SeTakeOwnershipPrivilege	1544	installer.exe
Token: SeTakeOwnershipPrivilege	2800	installer.exe
Token: SeLoadDriverPrivilege	1544	installer.exe
Token: SeLoadDriverPrivilege	2800	installer.exe
Token: SeSystemProfilePrivilege	1544	installer.exe
Token: SeSystemProfilePrivilege	2800	installer.exe
Token: SeSystemtimePrivilege	1544	installer.exe
Token: SeSystemtimePrivilege	2800	installer.exe
Token: SeProfSingleProcessPrivilege	1544	installer.exe
Token: SeProfSingleProcessPrivilege	2800	installer.exe
Token: SeIncBasePriorityPrivilege	2800	installer.exe
Token: SeIncBasePriorityPrivilege	1544	installer.exe
Token: SeCreatePagefilePrivilege	2800	installer.exe
Token: SeCreatePagefilePrivilege	1544	installer.exe
Token: SeBackupPrivilege	1544	installer.exe
Token: SeBackupPrivilege	2800	installer.exe
Token: SeRestorePrivilege	1544	installer.exe
Token: SeRestorePrivilege	2800	installer.exe
Token: SeShutdownPrivilege	2800	installer.exe
Token: SeShutdownPrivilege	1544	installer.exe
Token: SeDebugPrivilege	2800	installer.exe
Token: SeDebugPrivilege	1544	installer.exe
Token: SeSystemEnvironmentPrivilege	2800	installer.exe
Token: SeChangeNotifyPrivilege	2800	installer.exe
Token: SeSystemEnvironmentPrivilege	1544	installer.exe
Token: SeChangeNotifyPrivilege	1544	installer.exe
Token: SeRemoteShutdownPrivilege	2800	installer.exe
Token: SeUndockPrivilege	2800	installer.exe
Token: SeRemoteShutdownPrivilege	1544	installer.exe
Token: SeManageVolumePrivilege	2800	installer.exe
Token: SeUndockPrivilege	1544	installer.exe
Token: SeImpersonatePrivilege	2800	installer.exe
Token: SeCreateGlobalPrivilege	2800	installer.exe
Token: SeManageVolumePrivilege	1544	installer.exe
Token: 33	2800	installer.exe
Token: SeImpersonatePrivilege	1544	installer.exe
Token: 34	2800	installer.exe
Token: SeCreateGlobalPrivilege	1544	installer.exe
Token: 35	2800	installer.exe
Token: 33	1544	installer.exe
Token: 36	2800	installer.exe
Token: 34	1544	installer.exe
Token: 35	1544	installer.exe
Token: 36	1544	installer.exe
Token: SeIncreaseQuotaPrivilege	4668	installer.exe
Token: SeSecurityPrivilege	4668	installer.exe
Token: SeTakeOwnershipPrivilege	4668	installer.exe
Token: SeLoadDriverPrivilege	4668	installer.exe
Token: SeSystemProfilePrivilege	4668	installer.exe
Token: SeSystemtimePrivilege	4668	installer.exe
Token: SeProfSingleProcessPrivilege	4668	installer.exe
Token: SeIncBasePriorityPrivilege	4668	installer.exe
Token: SeCreatePagefilePrivilege	4668	installer.exe
Token: SeBackupPrivilege	4668	installer.exe
Token: SeRestorePrivilege	4668	installer.exe
Token: SeShutdownPrivilege	4668	installer.exe
Token: SeDebugPrivilege	4668	installer.exe
Token: SeSystemEnvironmentPrivilege	4668	installer.exe
Token: SeChangeNotifyPrivilege	4668	installer.exe
Token: SeRemoteShutdownPrivilege	4668	installer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installer.exe

pid process

2800 installer.exe

pid	process
2800	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2136 wrote to memory of 568	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 568	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1372	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 4004	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 4004	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe
PID 2136 wrote to memory of 1484	2136	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kheiron1337/icraat
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf24e46f8,0x7ffcf24e4708,0x7ffcf24e4718
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4204 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,16967717370093525659,472385200295220068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3532
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2800
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Users\Admin\Downloads\installer.exe
  "C:\Users\Admin\Downloads\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7a6de678f84ee628363f771cff40acac

SHA1
9a84ff3114c2f0bb5e95256b5789ac0c7eb61f06

SHA256
09a1e01724f3bfb069956fb3dd64b5d3678fc26853beb5c623e8f274e4eb23c2

SHA512
6a3dae513313650f8ce75347fdd6691c22059f86c4a4571865eb540ecc191778c09de626dd39f2f78a2bae5ace9403fde53f9c09b8df0bd881b40f9d6ce88b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4a0edd2bf1c42ee32e063ff1a4744441

SHA1
cd6b04c91f93834afd701bc197262c9f6bdd3d77

SHA256
2ad1006d5b948dbce1645ee21a99a7c95429dfc2f94f62d1c6fa5fac4876abbf

SHA512
e3cc697a7b671da76b8cc87e0695ec4f911a1cc7f633e734a84c4c0a26a246bc706982b7b42bad8de5fd1577f8d9bff57c911b33fd3704d489e2d8913389cac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a6d863f6a2d5d47ddb8d838dbdee809

SHA1
d36847c07054558b4b7110a7873331d7bf5ef892

SHA256
5f58bb830129e41ad2634d5336a4337b6c03b08481055e95c077a590f4d6148f

SHA512
d4678e851bb1f6ed21ca96dd3263bda99e6ceedfb7ccbfeb596562fe885f715ae6126835cdd26e22f5fc8eb42d9e242ed64c29710b30c518c96c6317a65c501f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1460c44724f3583e74f05b2f7e8c9c7f

SHA1
8fb138232eb1cfe952a2f07f0014a5ceab606b17

SHA256
385ccc677994e51e434a78793181ae8138bb155057dda508bb00f5fdeab565cb

SHA512
a4801ad9686ed4d180c2c7f82b9455042b01e03c5b5de3048d2520b4ad8ecfc977358d433029d3af9da472e85eac5266893053e1505cdd72122aae5e7374769c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6fcf473a8d59171a8bfb5eb1f3a7a585

SHA1
3d957e6424ed602716e907623f149aa5e4fa8e8d

SHA256
cc1dabda4fa8843e22352a7096dda2938de0f948068419b6201a192471011f48

SHA512
1867e2d644bd0078c2af88c93e1e7aa6994aa4c0d81cbeb6a35f91694966298ae00129106ab535d56ff06acaea8681eca6bdcadd8ae28f21ce03a7fd3fbace24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7fc4716ed8a6a926e52ede33e0b488f3

SHA1
9b228b3185dcf28eae1f8509bdac8229c81bb5dc

SHA256
5dab28eba1f03507890ac7034dadbcdd6be89f990f2121903f49feb4a620e327

SHA512
42d379f867f57e2e69429fee114c41926fc82747a70937f6fe13f4ee25798b971ed8c938eb9c11f893c61bef32a1e9eb067509211880774f854473f94692b451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581fd7.TMP

Filesize
874B

MD5
b379aaa0bf6f897a5aba6b21285f2cdc

SHA1
528da12ffc1f693404b2732b10d61c780ef25802

SHA256
6626aa1522d0f2220faafc4214d3c47b70abc42b349d1dbe5e191c298e561a56

SHA512
3770acca53e1d099ace8f8686819c63ab6a6fd0822ad472d4e50b87364cd1df3b09252fb1739f23aad2a83e4c789fa2006b26e9a6119f210d804ca6bfbe0eee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a3313613038b55ece764745b195b09b

SHA1
cba32f43561d525bca8fd6fd3ff7cd70ad34f578

SHA256
8c9565798a11a55ec33e23d24441ab4be8edb136a1783472e90fc619177ddfb8

SHA512
a50dd945cfa3bdf5af94df546fbd9afe3fb40e1ed6cabbfb7a26d89af25ec9bae30d9d85c0ba699a8c632eb555f420c09ba9dc984e7220984ae98eb3dcf9c4b2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 926845.crdownload

Filesize
658KB

MD5
d4e37fd9f039e5a80e62a64e5f8893d3

SHA1
524fa7dc3e8e3514f71f49d781b122a838f8c900

SHA256
e760e3f24075e72cc3c94b3ed134185705a84f927deedee5e9c9a4cf52b266c2

SHA512
b6cd709ef072d08881a0790ef98520a196a3c83db958f2e62b585874f82b155eb28eb713e5a6b9d7a1a697c67ae832ebc09a7f647da32d2eac53a6145319e54f

Download Submit
\??\pipe\LOCAL\crashpad_2136_MPVYSLUGTAGTMOVE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/684-401-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/684-400-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-355-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/692-356-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/736-389-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/736-388-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/772-365-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/772-364-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1040-377-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1040-376-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1292-379-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1292-380-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1544-336-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1544-341-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1564-385-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1564-386-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1688-344-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-343-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2280-370-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2280-371-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2284-352-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2284-353-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2444-373-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2444-374-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2448-350-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2448-349-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2508-362-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2508-361-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2724-359-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-358-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2776-382-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2776-383-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2800-337-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3364-367-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3364-368-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3852-410-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3852-409-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/3956-346-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3956-347-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4668-339-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/4668-340-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4860-406-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4860-407-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4884-403-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/4884-404-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download