darkcomet | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus[.]exe

Analysis

max time kernel
51s
max time network
51s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

winupdate.exewinupdate.exewinupdate.exewinupdate.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 16 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
4732	attrib.exe
2264	attrib.exe
2140	attrib.exe
2956	attrib.exe
2316	attrib.exe
4908	attrib.exe
4732	attrib.exe
2736	attrib.exe
4804	attrib.exe
2560	attrib.exe
4072	attrib.exe
1424	attrib.exe
4728	attrib.exe
2184	attrib.exe
3112	attrib.exe
2072	attrib.exe

Executes dropped EXE 8 IoCs

Processes:

Blackkomet.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exe

pid process

2104 Blackkomet.exe
2300 winupdate.exe
1576 winupdate.exe
3684 winupdate.exe
4572 winupdate.exe
2424 winupdate.exe
1712 winupdate.exe
2808 winupdate.exe

pid	process
2104	Blackkomet.exe
2300	winupdate.exe
1576	winupdate.exe
3684	winupdate.exe
4572	winupdate.exe
2424	winupdate.exe
1712	winupdate.exe
2808	winupdate.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winupdate.exewinupdate.exewinupdate.exenotepad.exeBlackkomet.exenotepad.exewinupdate.exenotepad.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
12 raw.githubusercontent.com
29 raw.githubusercontent.com

flow	ioc
2	raw.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in System32 directory 43 IoCs

Processes:

winupdate.exenotepad.exewinupdate.exeattrib.exewinupdate.exewinupdate.exeattrib.exeattrib.exeattrib.exeBlackkomet.exeattrib.exeattrib.exewinupdate.exenotepad.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exewinupdate.exeattrib.exewinupdate.exenotepad.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 8 IoCs

Processes:

winupdate.exewinupdate.exewinupdate.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 576499.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1824	msedge.exe
1824	msedge.exe
4984	msedge.exe
4984	msedge.exe
1272	msedge.exe
1272	msedge.exe
2484	identity_helper.exe
2484	identity_helper.exe
4796	msedge.exe
4796	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Blackkomet.exewinupdate.exewinupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2104	Blackkomet.exe
Token: SeSecurityPrivilege	2104	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	2104	Blackkomet.exe
Token: SeLoadDriverPrivilege	2104	Blackkomet.exe
Token: SeSystemProfilePrivilege	2104	Blackkomet.exe
Token: SeSystemtimePrivilege	2104	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	2104	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	2104	Blackkomet.exe
Token: SeCreatePagefilePrivilege	2104	Blackkomet.exe
Token: SeBackupPrivilege	2104	Blackkomet.exe
Token: SeRestorePrivilege	2104	Blackkomet.exe
Token: SeShutdownPrivilege	2104	Blackkomet.exe
Token: SeDebugPrivilege	2104	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	2104	Blackkomet.exe
Token: SeChangeNotifyPrivilege	2104	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	2104	Blackkomet.exe
Token: SeUndockPrivilege	2104	Blackkomet.exe
Token: SeManageVolumePrivilege	2104	Blackkomet.exe
Token: SeImpersonatePrivilege	2104	Blackkomet.exe
Token: SeCreateGlobalPrivilege	2104	Blackkomet.exe
Token: 33	2104	Blackkomet.exe
Token: 34	2104	Blackkomet.exe
Token: 35	2104	Blackkomet.exe
Token: 36	2104	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	2300	winupdate.exe
Token: SeSecurityPrivilege	2300	winupdate.exe
Token: SeTakeOwnershipPrivilege	2300	winupdate.exe
Token: SeLoadDriverPrivilege	2300	winupdate.exe
Token: SeSystemProfilePrivilege	2300	winupdate.exe
Token: SeSystemtimePrivilege	2300	winupdate.exe
Token: SeProfSingleProcessPrivilege	2300	winupdate.exe
Token: SeIncBasePriorityPrivilege	2300	winupdate.exe
Token: SeCreatePagefilePrivilege	2300	winupdate.exe
Token: SeBackupPrivilege	2300	winupdate.exe
Token: SeRestorePrivilege	2300	winupdate.exe
Token: SeShutdownPrivilege	2300	winupdate.exe
Token: SeDebugPrivilege	2300	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2300	winupdate.exe
Token: SeChangeNotifyPrivilege	2300	winupdate.exe
Token: SeRemoteShutdownPrivilege	2300	winupdate.exe
Token: SeUndockPrivilege	2300	winupdate.exe
Token: SeManageVolumePrivilege	2300	winupdate.exe
Token: SeImpersonatePrivilege	2300	winupdate.exe
Token: SeCreateGlobalPrivilege	2300	winupdate.exe
Token: 33	2300	winupdate.exe
Token: 34	2300	winupdate.exe
Token: 35	2300	winupdate.exe
Token: 36	2300	winupdate.exe
Token: SeIncreaseQuotaPrivilege	1576	winupdate.exe
Token: SeSecurityPrivilege	1576	winupdate.exe
Token: SeTakeOwnershipPrivilege	1576	winupdate.exe
Token: SeLoadDriverPrivilege	1576	winupdate.exe
Token: SeSystemProfilePrivilege	1576	winupdate.exe
Token: SeSystemtimePrivilege	1576	winupdate.exe
Token: SeProfSingleProcessPrivilege	1576	winupdate.exe
Token: SeIncBasePriorityPrivilege	1576	winupdate.exe
Token: SeCreatePagefilePrivilege	1576	winupdate.exe
Token: SeBackupPrivilege	1576	winupdate.exe
Token: SeRestorePrivilege	1576	winupdate.exe
Token: SeShutdownPrivilege	1576	winupdate.exe
Token: SeDebugPrivilege	1576	winupdate.exe
Token: SeSystemEnvironmentPrivilege	1576	winupdate.exe
Token: SeChangeNotifyPrivilege	1576	winupdate.exe
Token: SeRemoteShutdownPrivilege	1576	winupdate.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4984 wrote to memory of 3700	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3700	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 2632	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1824	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 1824	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 3812	4984	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 16 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2264	attrib.exe
2316	attrib.exe
4072	attrib.exe
3112	attrib.exe
4732	attrib.exe
4728	attrib.exe
2140	attrib.exe
2184	attrib.exe
2072	attrib.exe
2736	attrib.exe
4908	attrib.exe
4732	attrib.exe
2956	attrib.exe
4804	attrib.exe
2560	attrib.exe
1424	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b4ce3cb8,0x7ff8b4ce3cc8,0x7ff8b4ce3cd8
2⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
2⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 /prefetch:8
2⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Users\Admin\Downloads\Blackkomet.exe
"C:\Users\Admin\Downloads\Blackkomet.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4732

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\Downloads" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2264

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4908

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2140

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3684

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2956

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4732

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4572

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1604

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2184

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2316

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4804

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1712

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4072

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3112

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2808

C:\Windows\SysWOW64\notepad.exe
notepad
10⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2072

C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
7⤵
PID:1388

C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
6⤵
PID:2180

C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
5⤵
PID:4248

C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
3⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
2⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
2⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
2⤵
PID:884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
de47c3995ae35661b0c60c1f1d30f0ab

SHA1
6634569b803dc681dc068de3a3794053fa68c0ca

SHA256
4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7

SHA512
852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
704d4cabea796e63d81497ab24b05379

SHA1
b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

SHA256
3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

SHA512
0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
043348c1acb71c0431399817001c553c

SHA1
6ade305fd9923e2b0c6ac4301f4dfe3c629fbc34

SHA256
f6c506cf0fdebf7c73b73e3db374f53df66a690ae569a54e76e98e081057d475

SHA512
8bbee05504d7394407908b2f122761e60c3455d51f8f9562b4cd564364fcb1f900b9fadd9504168e9707db9d1e7d8ca2d7650e6a68fb27833d19cfe8386420c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e74e3d917f62d208bef485cae936471d

SHA1
b4ad8c83256a78bdfcb01856d548ee47e9337ac9

SHA256
3a1e4963ca2f17e30cef94221e1d29a79c6294c7d65d2ec42b48b9f6c3acf347

SHA512
54af36d57d70f909b2122b14d60fb8bd5e1022e8f67f03cde9555f468f267f00deddc5aa447e72f0c8f9e71452777e741de80d0800367e76a95a45f82794b2d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
dc0379be0de049b88507863d561314a6

SHA1
7bb59d013a59231479b8b5a2132589dbb23ca293

SHA256
37a6dd7e7cd490d3fcce019b45e6ae25235bf63e0be445f3b57fd8f1f5d5bc09

SHA512
920b797fce9eb0a2c5295273dc4530bfce07108109d3e9f8de90972070e210c9891272d419ae6216394344a46a254cb4e46c2a1b8a752cdeccc336a4cd7a48bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
cc3cfe63ed74de3f091ab7431b88089b

SHA1
ab3820f6945794b041d930d18d3c18e3e93dca44

SHA256
fb88d78b99add55ea31d14c0b707d356f8b0ef405037d52114ecf627cc0d6bdb

SHA512
c4b347d80fc386cc9d271126ab3bcb36ef2f76d6020fa1c2b9378b55789926876337d3ff3603361e64e65ec0c2fe139b953b3445a512ce685231dd3da0c00b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58199e.TMP
Filesize
1KB

MD5
2c1f0b722d6cf65f51e4f71ad12b8a04

SHA1
4fb94b89ac6cedaf60cf5388f25460bc83ee8947

SHA256
4a25b5eeade8112b646c0ab78fb70594e6193f94f9a2bee490bc6a7a3c425ee9

SHA512
691a2130f63bcbbeefa91d95e5f6d7766bb489d3a765bfced6a8a37ed56fb14e75d6878bd0045400bb02aa1d72a898c3d95f251493467bfb990aae4ff98c9745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f9c6d81b9963755e1f0e5f6235189975

SHA1
96d8b24451338882c3a67c9fc27345cd89a20a4f

SHA256
6856e190d5cc2bda8fac687c550b3384ff76f0741a66cd174f3dd0fc95bac432

SHA512
0e27d9c919c6c22d8f9dfe229db1d53366a6a8b0230f7d7221e2d12419dd0f621cdd327dcc43061f29f97e2ddabcd4624bfe11f4ec3073f5370b501550bde6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7935e916d32090477f0abc22a9c79d7d

SHA1
d7ce9f6d1e1d27865536c65290c390881280270d

SHA256
1ea46b91c1203f1190db35595d334ba01538f6b399ca1928faebb0ffc31323f3

SHA512
5bca371cba7c3c8c441de13d5dd9733cc11ad97e7ca5a457a8c04af3ed59ec906da4709dd4364d2a5ee48210388f671d528761ea4c8594bd3efc11b1e2cecb04

Download Submit
C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier
Filesize
115B

MD5
d2a7259c3c335d9a1f3f3f94330fb8ab

SHA1
4ecfc11525f5f12b7d7863ce12ebfce39ff89a78

SHA256
6e9c9cc247799efcafaf3535ff39b7b6e79372b352780ce7b0dfcdc3ce57e84b

SHA512
5c9440832612c20d403d47db06ff6f1f271536a8ca0bc54238daee2b29b3976452ac89b6aa1d0ff4231d9a07603f481cb2c234eb49f5c4a80576e1b9f00ebcff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 576499.crdownload
Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier
Filesize
210B

MD5
8376e41e1fab81945d87906bec9412a5

SHA1
e05df03d224602918c92b734ed1b734347b920e6

SHA256
5fe95b006cc45e4209011767d8e5579a8880b9f4ecc9c75df3e74487913ed792

SHA512
39806a088c8ef01ae1e6551091fb9e15184bcb6af2fc584eca44d73bd09caa051717e6a47c344852d53ab7f0c41e4d2e82a6f3d16fd11691c1b6d38dc8877218

Download Submit
\??\pipe\LOCAL\crashpad_4984_YIKAQBUJPRYNAFTE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1576-256-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/1712-270-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2104-251-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2180-258-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2300-253-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2424-265-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3560-254-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3684-259-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4572-263-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download