Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://dropmefiles....

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-03-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://dropmefiles.net/ru/4Byze7NPRh

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

0.tcp.eu.ngrok.io:14111

Mutex

DC_MUTEX-C2DFJ06

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    nh09UHVwpHiv

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 17 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 18 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 27 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dropmefiles.net/ru/4Byze7NPRh
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7bd646f8,0x7ffd7bd64708,0x7ffd7bd64718
      2⤵
        PID:3704
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
        2⤵
          PID:4320
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4532
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
          2⤵
            PID:2360
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:4468
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
              2⤵
                PID:2364
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
                2⤵
                  PID:944
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
                  2⤵
                    PID:1788
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                    2⤵
                      PID:1904
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
                      2⤵
                        PID:1348
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:628
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
                        2⤵
                          PID:1968
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
                          2⤵
                            PID:2784
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
                            2⤵
                              PID:1692
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
                              2⤵
                                PID:928
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4804 /prefetch:8
                                2⤵
                                  PID:4888
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                                  2⤵
                                    PID:4308
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
                                    2⤵
                                      PID:4884
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
                                      2⤵
                                        PID:4892
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5172 /prefetch:8
                                        2⤵
                                          PID:112
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:8
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4820
                                        • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                          "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                          2⤵
                                          • Modifies WinLogon for persistence
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • NTFS ADS
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4360
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe" +s +h
                                            3⤵
                                              PID:4100
                                              • C:\Windows\SysWOW64\attrib.exe
                                                attrib "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe" +s +h
                                                4⤵
                                                • Sets file to hidden
                                                • Views/modifies file attributes
                                                PID:4224
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Downloads" +s +h
                                              3⤵
                                                PID:2044
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib "C:\Users\Admin\Downloads" +s +h
                                                  4⤵
                                                  • Sets file to hidden
                                                  • Views/modifies file attributes
                                                  PID:836
                                              • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                                                "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
                                                3⤵
                                                • Disables RegEdit via registry modification
                                                • Executes dropped EXE
                                                • Suspicious behavior: GetForegroundWindowSpam
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of SetWindowsHookEx
                                                PID:528
                                                • C:\Windows\SysWOW64\notepad.exe
                                                  notepad
                                                  4⤵
                                                    PID:4796
                                              • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                2⤵
                                                • Disables RegEdit via registry modification
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4908
                                              • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                2⤵
                                                • Disables RegEdit via registry modification
                                                • Executes dropped EXE
                                                PID:4912
                                              • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                2⤵
                                                • Disables RegEdit via registry modification
                                                • Executes dropped EXE
                                                PID:4284
                                              • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                2⤵
                                                • Disables RegEdit via registry modification
                                                • Executes dropped EXE
                                                PID:5040
                                              • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                2⤵
                                                • Disables RegEdit via registry modification
                                                • Executes dropped EXE
                                                PID:2236
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
                                                2⤵
                                                  PID:4576
                                                • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                  "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                  2⤵
                                                  • Disables RegEdit via registry modification
                                                  • Executes dropped EXE
                                                  PID:4984
                                                • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                  "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                  2⤵
                                                  • Disables RegEdit via registry modification
                                                  • Executes dropped EXE
                                                  PID:3564
                                                • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                  "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                  2⤵
                                                  • Disables RegEdit via registry modification
                                                  • Executes dropped EXE
                                                  PID:1220
                                                • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                  "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                  2⤵
                                                  • Disables RegEdit via registry modification
                                                  • Executes dropped EXE
                                                  PID:1012
                                                • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                  "C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe"
                                                  2⤵
                                                  • Disables RegEdit via registry modification
                                                  • Executes dropped EXE
                                                  PID:2116
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
                                                  2⤵
                                                    PID:2712
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
                                                    2⤵
                                                      PID:2116
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2696 /prefetch:8
                                                      2⤵
                                                        PID:3328
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,195456550300914217,766065631017443686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:8
                                                        2⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:2776
                                                      • C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe
                                                        "C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe"
                                                        2⤵
                                                        • Disables RegEdit via registry modification
                                                        • Executes dropped EXE
                                                        PID:1056
                                                      • C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe
                                                        "C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe"
                                                        2⤵
                                                        • Disables RegEdit via registry modification
                                                        • Executes dropped EXE
                                                        PID:4372
                                                      • C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe
                                                        "C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe"
                                                        2⤵
                                                        • Disables RegEdit via registry modification
                                                        • Executes dropped EXE
                                                        PID:1980
                                                      • C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe
                                                        "C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe"
                                                        2⤵
                                                        • Disables RegEdit via registry modification
                                                        • Executes dropped EXE
                                                        PID:4644
                                                      • C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe
                                                        "C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe"
                                                        2⤵
                                                        • Disables RegEdit via registry modification
                                                        • Executes dropped EXE
                                                        PID:1604
                                                      • C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe
                                                        "C:\Users\Admin\Downloads\mortek karol hupza_gpj (1).exe"
                                                        2⤵
                                                        • Disables RegEdit via registry modification
                                                        • Executes dropped EXE
                                                        PID:4056
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:5096
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:4856
                                                        • C:\Windows\System32\rundll32.exe
                                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                          1⤵
                                                            PID:3108

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9b7fac1a-3f10-457c-bed3-72ece18fb570.tmp
                                                            Filesize

                                                            12KB

                                                            MD5

                                                            9624de8299c2ba355a3e40691efb1e73

                                                            SHA1

                                                            b0bbb749b81013ee02f97393765ea6f50b0f16fc

                                                            SHA256

                                                            a24bbae543a68309d372a46c065058af24ae722fb15bffce073914366ac64483

                                                            SHA512

                                                            0cdb3fa00a2537d4eeb556ba954061c02b4e50f09a3ca13f0f2d4c4f990f411a4c3203e4d085d936f8fdbef88513d2020e784293d49803a32e069a45d9fea91a

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            47b2c6613360b818825d076d14c051f7

                                                            SHA1

                                                            7df7304568313a06540f490bf3305cb89bc03e5c

                                                            SHA256

                                                            47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

                                                            SHA512

                                                            08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            e0811105475d528ab174dfdb69f935f3

                                                            SHA1

                                                            dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

                                                            SHA256

                                                            c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

                                                            SHA512

                                                            8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\90d571a0-320e-4a51-9fd6-20e08170801b.tmp
                                                            Filesize

                                                            8KB

                                                            MD5

                                                            9e713ff2efdde6b0764bb6c899d36302

                                                            SHA1

                                                            0f4e006dce8833d2839047d7fe5d901214c4624a

                                                            SHA256

                                                            b7870d9963b73348e256d0d3fa30abc1a3a3657ba50327debcccc4dbe5f50822

                                                            SHA512

                                                            46e50b083754ae0a12a84d7cbc2d5ded4dbaff5e4c708caaff396649b746f62a5651835debb1fc8d9f6eb9accf1f3257b0831effdfed408ded76019fa2382cb9

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
                                                            Filesize

                                                            19KB

                                                            MD5

                                                            eb3c894e0bb7a9c114fcd48cf050b4bf

                                                            SHA1

                                                            33f22370275ebe16fad66b98ad0fe98fb478d2ee

                                                            SHA256

                                                            1f45e843af629be46eb3e761bc0a70d32fbaa860ea14ca4536d5dea191a006d0

                                                            SHA512

                                                            e6eb5bb6cb9c935c6efd4cabe7a83711daf76eaf9153363fe2b7b043c5439d2ada0fa3d5487739806bb90d354e18d70de8f19115ca150056b1deaedeb13b0aa2

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                            Filesize

                                                            912B

                                                            MD5

                                                            1f5e36244844790f39766e61640a0241

                                                            SHA1

                                                            59307f6b420d63b2aff34f6c7e6398a461664bf5

                                                            SHA256

                                                            242bd728bb5db5f9f58423ca4fc21ec5999e6e7cc096d3741706e3834cf77184

                                                            SHA512

                                                            7536dc0457cd0dd0402d6318b1d04ee11d490dbb4a020ee3a9d342f0e2c453c655019e824f6492d49971020e9d5f766f2d9c7699279e88e7ea812347db62ec98

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                            Filesize

                                                            3KB

                                                            MD5

                                                            aa6df91a9a82af355018058e462c6d88

                                                            SHA1

                                                            024e0308bc0d263991f996daa14cf588825649a9

                                                            SHA256

                                                            9b873ee697a804e98ca1831ee30e4ff9f62a1d87db4953b31acbc39816e8c793

                                                            SHA512

                                                            6feea2beb73af5b5df7ebb3f7b61c529653fe263edc30b9f78b23efbf9e48ba0ab29e3537591efbafeaa88d9447299ff1fc11f3eda5cc249f428a4a5b87c5473

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                            Filesize

                                                            3KB

                                                            MD5

                                                            df8c4fd33cb9d81b5aaef8491451e9f7

                                                            SHA1

                                                            ad3620e4a117e6045e1ed4671c41d6bafc2152ed

                                                            SHA256

                                                            8cf2f0ecebe59c61c8b7ecdfa16d5265c3b09e80d1dd97130c78382d3a90cbdf

                                                            SHA512

                                                            2d1d7329b98f4b3fe91ad85ef3baa690dc8f4f1691e1c18dfc75a02e2a7194a8d9021a810e53d0a9a3a39b22355ec22b7e8e6f0aacf9061d8b3facf21d91422a

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            70569ea4456df1b831bc0e9696eda97a

                                                            SHA1

                                                            86ad2dbe716d1e7cf3e99525fdf1b6fe7cb3cb94

                                                            SHA256

                                                            ade5a811a3431ea3534df5c37f4b789464cabc1a423749ead7bf84c69ae516a0

                                                            SHA512

                                                            5d17275c19949604f3479bb9afa48e156a092d754f8cb3acc6a97aa922dcbd79e52f8ae434152788f67674f96f115d77d435044a7adb734499dabe3cd9ba35fb

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            8KB

                                                            MD5

                                                            acc85336a99f0d12aeaa39a9f1854faa

                                                            SHA1

                                                            5213062aaff3b25a7b50beb39179c562701937b0

                                                            SHA256

                                                            0fcfe7a11e9126741b08354668b836fbabb22fff6abf019b471b3b535c758521

                                                            SHA512

                                                            45d375887af214ab397fe413ee07dc99e289f77e75f730cd67644607aad66ff9a6e7b76f7f2297c80127a27bdaa7c2c84db5156dd5753aa29a4f45264f578996

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            8KB

                                                            MD5

                                                            6c72d432b01d36adf5867763d67639df

                                                            SHA1

                                                            5fece325d7718b29267b5a7a9b1c5a9c864af224

                                                            SHA256

                                                            29cd1f657feaafc5cb50be2bd740e87e19a268b3982f1eae54ab8e96c4eea07b

                                                            SHA512

                                                            ca9d7c73a1120533fe9ec2f8986e62426946da9bd208b0d8ba1e323f907736ae73112e343c179820ca488a30853882a33f066fbb82284aa804a940d52f767954

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            8KB

                                                            MD5

                                                            8e671c9cc42e3dcddd52e3b011ea544d

                                                            SHA1

                                                            05d4f4277b8eab77b20143b0e4df6b68655899ed

                                                            SHA256

                                                            f971d0eb345e07aebe2aeb2cd2f7eba5ac4f7ce4bf3c675acd7c4ac4b9e1f05e

                                                            SHA512

                                                            042d229cd37f37b9d759fbfbe122aef4df673f961930f9b045c1c4aecc8b9388e24ccd7a708f992f419769cb5daaac2e05003a5b0b40136e2103e23616273efb

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            8KB

                                                            MD5

                                                            d418ec7d44d410ea4cf6a9a8f0f9f64c

                                                            SHA1

                                                            2c809b2aca58f97f3ca1ddbad3d18ea4120b1d58

                                                            SHA256

                                                            e7c459b2d25f166c001eb58cb62177e21d02fefbb621616e44a530ee3a304fc1

                                                            SHA512

                                                            9657c67c6a7b1a5d0155578c0eda23551904b5ebdcaafb59cdcb1fa21c1571509e0809c2ab61e956d7b53448493f2abd704b575cd0ad627b1e99f30ce6209e59

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                            Filesize

                                                            16B

                                                            MD5

                                                            6752a1d65b201c13b62ea44016eb221f

                                                            SHA1

                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                            SHA256

                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                            SHA512

                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                            Filesize

                                                            11KB

                                                            MD5

                                                            22b3eb2f7c5f4908740a1365542d7a56

                                                            SHA1

                                                            e40d86ad5fbaf9377b004e918649e9e59437f3a3

                                                            SHA256

                                                            33c8b1426bdd917be7b5b90f00066d0be2a0dff6c77c674e67ab2934d0919316

                                                            SHA512

                                                            9372b4e0cb0a5f3964099989e9faebc7a5296f28f38cf36940e7a99643dae8656d33d0d5109a8133433174e220875da5a22d9ec2af567684abba16542e9c70bb

                                                            Download Submit
                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                            Filesize

                                                            12KB

                                                            MD5

                                                            4d594dcbb3952e02a4306e24bd6759a6

                                                            SHA1

                                                            7590c879538517881f7a477a26ae8c20d0dc6c63

                                                            SHA256

                                                            996093af9d32d47a6e31aef150771c8ff1a5ecba2289881fc8ef938edda4fb37

                                                            SHA512

                                                            8bbaa9d7507a7bf6d6c846066cf52ec3373ffeeef51f70be70c194f65b5a2b669080ddbef1f81a8d493bf5eb2b117e1fc6404e74d53f0a6188e42c7fc13f2a36

                                                            Download Submit
                                                          • C:\Users\Admin\Downloads\mortek karol hupza_gpj.exe
                                                            Filesize

                                                            658KB

                                                            MD5

                                                            c6b3ede73fe3453e8492a1efc2f470d0

                                                            SHA1

                                                            deee6b070980c5b01ea16315f2735e61f71fbec0

                                                            SHA256

                                                            7f52a160917ca648622439bea87ba49b4e8dd2a1b092275b4a0e4b3210bacf49

                                                            SHA512

                                                            5e70b442f9d20e90ab44632c01097cb1e45ccccb6c3dc86e2824265a217e107e30975e6f1d34d833110e11fe5ae224d3cf732e54f8d33eaae4f5b97274b73a5c

                                                            Download Submit
                                                          • \??\pipe\LOCAL\crashpad_3100_GEGZGHCCOYBVQPLK
                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                            Download Submit
                                                          • memory/528-358-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/528-347-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/528-350-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/528-262-0x0000000002180000-0x0000000002181000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/528-302-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/1012-345-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/1012-344-0x0000000000790000-0x0000000000791000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/1056-389-0x00000000021D0000-0x00000000021D1000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/1056-390-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/1220-341-0x0000000002140000-0x0000000002141000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/1220-342-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/1604-402-0x00000000022C0000-0x00000000022C1000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/1604-403-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/1980-396-0x00000000023C0000-0x00000000023C1000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/1980-397-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/2116-365-0x0000000002130000-0x0000000002131000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/2116-348-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/2116-349-0x0000000002130000-0x0000000002131000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/2236-279-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/2236-278-0x0000000002190000-0x0000000002191000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/3564-338-0x0000000002290000-0x0000000002291000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/3564-339-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4056-405-0x00000000006E0000-0x00000000006E1000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4056-406-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4284-273-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4284-272-0x0000000002130000-0x0000000002131000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4360-248-0x0000000002130000-0x0000000002131000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4360-264-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4372-393-0x0000000002170000-0x0000000002171000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4372-394-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4644-399-0x00000000006E0000-0x00000000006E1000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4644-400-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4796-263-0x0000000001090000-0x0000000001091000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4908-267-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4908-266-0x0000000000690000-0x0000000000691000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4912-270-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4912-269-0x0000000000690000-0x0000000000691000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/4984-321-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/4984-320-0x0000000002140000-0x0000000002141000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download
                                                          • memory/5040-276-0x0000000000400000-0x00000000004B2000-memory.dmp
                                                            Filesize

                                                            712KB

                                                            Download
                                                          • memory/5040-275-0x0000000000790000-0x0000000000791000-memory.dmp
                                                            Filesize

                                                            4KB

                                                            Download