Analysis
-
max time kernel
510s -
max time network
513s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
13-04-2024 20:49
General
-
Target
https://filebin.net/iupwjvd2xjkgmhs2/prebuiltvm.rar
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
6.tcp.us-cal-1.ngrok.io:12638
127.0.0.1:1337
Mutex
DC_MUTEX-RSWN5YL
Attributes
-
gencode
7gEewe3dp4fF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 10 IoCs
-
Windows security bypass 2 TTPs 20 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 9 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 20 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 28 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filebin.net/iupwjvd2xjkgmhs2/prebuiltvm.rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3336 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5760 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\prebuiltvm\" -spe -an -ai#7zMap27370:82:7zEvent222471⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd2925772h6894h46cch93c3h1d5d246cd2ca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6055774406263957736,1866925422703203876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6055774406263957736,1866925422703203876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault23868d4ehd2c4h4a9ahaf0fh7b4c634528381⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4301013324815310568,3446095526262378034,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4301013324815310568,3446095526262378034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault204fa05dh1dd4h4606h8e51h298a082da7d01⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8692128357583523852,10144765486392426305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8692128357583523852,10144765486392426305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\prebuiltvm\" -spe -an -ai#7zMap10624:82:7zEvent231161⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59b37f45bb53621bde641ecf0ac95c43f
SHA1e6658fd3fa342cc7db071ee71e2c7d8883acf778
SHA256ee75f334d75da011888ba9306ac27d037271e9cb3c0989f9eecee4af9426b2ea
SHA5121d0b75231473958644270ad991275a1c8ded521d3f6b3da244e714627d640a7c0a523674b4ecf58a0fd6fa52ac1bd3a2e517311f741430bd6ddb4a45bb1f789f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dcf7b7f6db8648c9118903ae11d4ba7f
SHA174265dafa33994ef7148111bef9efbab6e3795bf
SHA256e37da26dd87b61af0f60814c294039c308daa1d9854b4b9329d4f0f73390fbc0
SHA512af9feca3a642b8b75de639cf8652772b3cd8af45071125b2f0e3a6c9dec6f29d304ce6d73c43fdb43d0ee1d10295700658104d5b0b6ab775440f2b9ded3ba406
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD521ffdc8d160d3f5a62b2d1e1203565be
SHA137e49ff09a6c4037e2a1d0aeeefe7c886c0b281c
SHA256fa7eecffe4fb71cd0d0aaf77627209cc6b97115915d9d3c2c7b06ad93affd2a5
SHA5123fb8fe31ff8995fd624b2857b2359c47bffb6703fa2fc139108a184d27e4bc033ad9518616179cb2779f1bc591552c7cbbd6c19729947898a3fb1f0b20ce3bd5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a1c7c8628309cb2cba92459fe2e71e8e
SHA1baac2923b088bba88dfd7a31f555fc3cd2c3c377
SHA2560090e38f869c2dd4de536e6753758ba86bac959f299004a1ab3755f3e11a7657
SHA512c958c4e8ed85749be852fe1c1d53f97b23e76d9bfabf0073a5a3a7c5b12f556da74770fa748b5943723c5f8b7b87bdb6bad35c4adff4f89909e37381763f3e92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD584c82ea2eb08347faafa7e71faca2cd6
SHA171f15599f5fa6bed2f5660245e88c228e0bdb56e
SHA2563c79926f80053886507f4ee7d01f251043bec1a115bfff98da6e67cb1ab6f1d9
SHA5123e7653e0a3826c25faa0169d09792de45abfc013c1c470e0e0ca801489819ae153de07717e1a2f1bb6fe319b479bc9c5c0110a34268031d73da4bec48990e80b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD572c2eeabac1d50a2de4b2c83fe2dfaf3
SHA11d1f959b1160826be45bd760453ec68c9c1eaa03
SHA256025c9732be204d6d20f4ea1d32d76cf31e60ac5b31e6e4fa3dd1c0cb6887726f
SHA512ea923c2e0c18f69086d84332b7cc3e31f334310f1a93625dcefbe8dcd1a81170b445ea3db00619f99e1337fd27c45e141ad18fb94a086dba85ce3bdbb04a7119
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5f62f39afecefb4d599158edd0c332ce3
SHA1c204efb7df0bfa812978506a3e6fdb88dbb2e2a6
SHA256d0bfca70a679b26ea7ce6cada90113f728e32af376c90fdaa6b9f8e1c0e316d1
SHA51209ba87ba4c25971482b8c7cd78361f9cf188861b36f72c0391bcf8d8cfe2e362a17c281e044207fafedbbf863653185bf19cfbb79756a8bebe7f57befb9a771c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD50b7b5acb61dfebe1b7d2182455b0e757
SHA1e12f647c7b2d0c55d971ef1aa70e2e688b040a0f
SHA25637ea3eecbc7e4120302585e0eada3640bf83435d033c693967e7f70cb54df1b2
SHA512a5dd26a16081cf5161afc9470f8cbe96b1ba20a29248668a22ecea13d44871e6d75ce0d7a16aa560d0512eacaa2c9154b38eba9e63f30c3f80eb0b7be08c9c5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5fc3c13af9e37a6a39f9996cfa50c5402
SHA1dc6c4f93cc8df21cb351e6f3209b66a2797f9361
SHA256448916982a9ee944acda4188458ff43253a7770ce95cd7ed01fd273ada9062ee
SHA512965993cadcf909cb76643ac32e3ccb540459a2aaf576163185dd3815eb2e4821f23bb3315a6d82bbc163411fae46008f44fa9fea2d713a8170385bf75e2def90
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d53f6f8f0a1213e3f3d3a1becaefa4c0
SHA1c5a3a695024cc1088a651ed5581996d225093569
SHA256be5a9fcd3320882a0aa7993c7a36957f52784bb9b67c8358dba432186142f77b
SHA512e42156a9924785f707ed8320411abe6a805c76046441fa8870407477a6a4b6ddebfc231703ae56ef7963f27999b49696ee4bf0bd2e002391b42803d0a4b9faf0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5948936fe87b0efe66113314c4872ba6c
SHA10d3d3f4a0002d5d5ca77d59cefef37a15aeb5d3e
SHA256bbc462bf126c130aa29aaebc5888f083ba4692c1feaeb4e8a83a342b92266b36
SHA5123f617825c2ea9433a147472e64edded924442ccf9abc349c84dd3e1166ff98a50174d19b4954a9efc515b0111adb4036229a285e031056261c03b0b8caa9b4f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD54f0c9bd1b0e1430dd12fe6c4fdb76647
SHA1fadb188f9c80547499c4c2008880f0fbc8491028
SHA25626e3e89a204b00eff3b26f1b824605ddd0af08b85cc46ba0cf92bf248ab27a55
SHA512c9560af6f7057da1c7a8418bd7a9751ba64c35d10d10cfd0a4feab9442273e9d5abc5b6bd01f955d5e6409e5bf1593b8c01afd4a90a94a5d186ff435df0fac0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5dd6b74acbe8d2d4bc6a5a4b76f7509a4
SHA1e4b5f79dc890d615a8159510e06050f9b051d827
SHA256cb95b98733643ed127dc9aee6eea8ad4b2f0cbe3cc7ab56c035df2b845827d36
SHA512ca42d6ce3509f8f0c47971a4ea7a3477c5494a289bfc00b45c1bf43a2da39fd7ba19db03e2ac3f22540489a37c07a7b56f3579063201ed0f8e14771554a1b732
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56d45ee65503d3cf261f47e1c3c51c525
SHA1aa451d26305b5446e89588948baa2ba189bfbb62
SHA25605dfb6997ccb52f92e45cc6bb69d9b2d28a754107a823ef86812500c321b891e
SHA5129e18c797454547ec410619efe246edef808b911ab07586adbec2ca1b6491ea045c10d7a207326f681448051ae8b36d22d9e077fe3ed7eebf03e8dbc40b8d24f0
-
C:\Users\Admin\AppData\Roaming\dclogs\2024-04-13-7.dcFilesize
64B
MD567777c773334a2a45cabc268441626af
SHA1a01b885b8d16044bbd41fd56625ad9dccdbf315f
SHA256b11b376ffc127201b99452008c3e47ccdf974925f4760624b2e29cdaafd4fecd
SHA512cd8017c18bcba9a19e51b27b5a7596596a6a342a33bd089a4b3a1b411210693b75e0594d9aa64855355b9cd38684a8bd6677d51ba300f4f2a1ef054ee5454821
-
C:\Users\Admin\Downloads\prebuiltvm.rarFilesize
246KB
MD56ccd4a9dcbc5a64036149722d84ac93a
SHA123f9d578d279f196e3026728e2503283393ccf3b
SHA256aecef6d3695122c47aa63b8987aad0155c36b54016a3bab9b59c216ac8e53027
SHA51262fac7b6dce8125a6f5f881dc23fb2427d7e8d1ed4b38f29ccd6b39f998330aed6beb7f66e353906765b40791b979a2937b3f1427bd99b4bd58d94869871ddc1
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exeFilesize
251KB
MD5e556b66a52ae28b3c877a9f3c419c5e3
SHA13a71dfde7b64c92cca1a023d0c807364d7d4cc1f
SHA2561993dacf9211a1dab3c7cca176add0714f3061a7c9cb2edaacd31448c16c746a
SHA512cd8b4a5ba819848cf48b8e59da0099324b06c54bb913381720e612e003a47cef583b4f96947d70a40e41445a802d4368835d339c0a2a2b5c7b91bfbd604df277
-
\??\pipe\LOCAL\crashpad_4368_HABINBDQTBVYJFIOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2456-109-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2640-116-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2640-115-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/2640-114-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-224-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-262-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-294-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-264-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-112-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-106-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-108-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/4016-263-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4080-302-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/4520-266-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/4520-267-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4628-129-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4628-130-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-308-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/5004-314-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-327-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-326-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-325-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-322-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-320-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-315-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-313-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5248-290-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5248-289-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/5588-260-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/5588-261-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5832-272-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/5832-273-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5920-303-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5920-298-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5920-296-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB