Analysis
-
max time kernel
114s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-08-2024 15:40
Behavioral task
behavioral1
Sample
123123.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
123123.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
123123.exe
Resource
win10v2004-20240802-en
General
-
Target
123123.exe
-
Size
658KB
-
MD5
42f8b99dea0186908eeb30d4bd293cda
-
SHA1
2c5638b79e88b8b2f7078e7ea5fc3eefe73c8855
-
SHA256
04486743ed363cbf4859592608f09d3ec9158fef8b128b5f57cf133316b99847
-
SHA512
f892ef131d966a098d2e45b2576e7faab6d1391c1597e759259229e335eb8aac914fffadbbbb42f8942257027aec81c7d715928e9784a139182d9e68eb85c87d
-
SSDEEP
12288:i9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hd:OZ1xuVVjfFoynPaVBUR8f+kN10EB7
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-7B3BWFW
-
gencode
Xu99WfLfeqW5
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
123123.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123123.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 2524 chrome.exe 2524 chrome.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
123123.exefirefox.exechrome.exedescription pid process Token: SeIncreaseQuotaPrivilege 2884 123123.exe Token: SeSecurityPrivilege 2884 123123.exe Token: SeTakeOwnershipPrivilege 2884 123123.exe Token: SeLoadDriverPrivilege 2884 123123.exe Token: SeSystemProfilePrivilege 2884 123123.exe Token: SeSystemtimePrivilege 2884 123123.exe Token: SeProfSingleProcessPrivilege 2884 123123.exe Token: SeIncBasePriorityPrivilege 2884 123123.exe Token: SeCreatePagefilePrivilege 2884 123123.exe Token: SeBackupPrivilege 2884 123123.exe Token: SeRestorePrivilege 2884 123123.exe Token: SeShutdownPrivilege 2884 123123.exe Token: SeDebugPrivilege 2884 123123.exe Token: SeSystemEnvironmentPrivilege 2884 123123.exe Token: SeChangeNotifyPrivilege 2884 123123.exe Token: SeRemoteShutdownPrivilege 2884 123123.exe Token: SeUndockPrivilege 2884 123123.exe Token: SeManageVolumePrivilege 2884 123123.exe Token: SeImpersonatePrivilege 2884 123123.exe Token: SeCreateGlobalPrivilege 2884 123123.exe Token: 33 2884 123123.exe Token: 34 2884 123123.exe Token: 35 2884 123123.exe Token: SeDebugPrivilege 2196 firefox.exe Token: SeDebugPrivilege 2196 firefox.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
Processes:
firefox.exechrome.exepid process 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe -
Suspicious use of SendNotifyMessage 35 IoCs
Processes:
firefox.exechrome.exepid process 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
123123.exepid process 2884 123123.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2944 wrote to memory of 2196 2944 firefox.exe firefox.exe PID 2196 wrote to memory of 2212 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 2212 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 2212 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 1076 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 560 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 560 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 560 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 560 2196 firefox.exe firefox.exe PID 2196 wrote to memory of 560 2196 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\123123.exe"C:\Users\Admin\AppData\Local\Temp\123123.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.0.903014579\1160547912" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b852cf71-ea14-4ed1-aecc-97c7481b27c4} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 1300 10dd7058 gpu3⤵PID:2212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.1.2084959991\806814457" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93b4549a-916d-46dc-9e7e-1244d518da09} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 1496 e6fb58 socket3⤵PID:1076
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.2.1549703919\1589374324" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73e6e6f1-f506-47f9-a14e-127fda9eeb6c} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2104 19c7a058 tab3⤵PID:560
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.3.2085239477\2117655984" -childID 2 -isForBrowser -prefsHandle 592 -prefMapHandle 1652 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44d169b1-0d2a-4c93-85eb-3d5305f999f4} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2408 e71958 tab3⤵PID:1772
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.4.406981598\327743342" -childID 3 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbaa616f-5369-4e32-9734-3b8a3f5b748f} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2896 e62858 tab3⤵PID:932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.5.1720269604\163197529" -childID 4 -isForBrowser -prefsHandle 3768 -prefMapHandle 3756 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bb80c53-621f-4d68-8a1b-ab38448a54f7} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 3796 1d2bac58 tab3⤵PID:2044
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.6.658409213\945725864" -childID 5 -isForBrowser -prefsHandle 3884 -prefMapHandle 3788 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa9d43b-5221-407a-a2e6-0fa07ef39f8e} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 3904 1ef1fb58 tab3⤵PID:1852
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.7.1539232744\10481551" -childID 6 -isForBrowser -prefsHandle 3892 -prefMapHandle 3908 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {add76e1a-e5fd-40d6-aa53-fc90f83e3ac6} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 3960 1ef20458 tab3⤵PID:2684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2524 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4f59758,0x7fef4f59768,0x7fef4f597782⤵PID:2804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:22⤵PID:2540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:82⤵PID:1656
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:82⤵PID:3076
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2076 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:12⤵PID:3196
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2096 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:12⤵PID:3204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1472 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:22⤵PID:3660
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1328 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:12⤵PID:3772
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=1376,i,12413491169905757090,1122430577773043945,131072 /prefetch:82⤵PID:3252
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3392
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵PID:3420
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3420 CREDAT:275457 /prefetch:22⤵PID:3940
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:3640
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4681⤵PID:3532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD504fe4c5407da4b43f2520d26d0835643
SHA1babb5530f2605dde1c47c353dbd2753857fba2d4
SHA25689a9ab26688267f73a13739694b80f9609826c8ea60ba0ebbfed1365bca52457
SHA5124bce1c6e62bf262ce45c10019b7f468e750c17e41bb876535a66da9fffa07aeedc20efce0bdafe618f8f2a215f66c128d24207083641407bbe762b68dfb1a826
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4b3c342c0a901c0dea2d7ed83fbcdbb
SHA13a35b55420332ff3377d1757335d282634327162
SHA25682c692cb67aabff20b3df6a9963740d698c5f5048027c6cf22b3032dbe94cc26
SHA51257330b688c7b32d1f48548f882e472b3b7daff87305fd04547dc666891e4bc7d54cd141263218a83465f4cf3ab8236b2d11d2c715a0533a993d4f41b2356307c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58308ae79750dfc65e926fcc208673bf0
SHA1ea84655d3753191d710a90229216cd2c440ee6a4
SHA25601c87096e502b8099e878c78e54c612a54cffba52de65ae2432dab2d02126c77
SHA51207e85485d93948d756ea6188cba2e979a69c9caea6e808c62d96a3fd0e822be569cc8303a0c4642069907bb5da52fdfe1caa0ba5330b1df81a72a8e0af2b7aa1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5058f6882453167f24c0b65ee184261d2
SHA19f0833d10087c5f154b9df416105165d2523b51d
SHA2567c1bb946c5bc54c26fd4227e310ff83690c9db5fb983404424cb172a40f248f6
SHA512c8d64d90bca293501ff961b03932bf5bf46e2344c6022a3956f64e12d6c4224fb4e2165345139e76a4d53bcfe8b8e5a06416bb3ffb7742aeb7eb9d8235c62abd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5badbdb82c369e39d5b8e851a644c3ee1
SHA1b65036608cac61594e7962e00213095250efc5ea
SHA2563e9a8d849ec6702fd7938ba974ee1d4dc6bbfb4b33ad9e3d98f24186b1700faa
SHA512b36c0b1275b20e7da6e22cdc19da4a67c07ce31535bd98b24a06db432a45563230bbc7b53313d6a0ab71e68e7bdfe3e42db34c8ad3b5dd6f968f1650b5379b91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5583fb7b96d78e1e287c37b9734d66b4b
SHA16404e5357a2d1fd12055d98591d4e64351ae9e23
SHA256c018b55fe71288c2cd2579f412dd2d99f40417f6417fbfb9faf2cdf6a542ad78
SHA512d749f442db03f0d921be669658547ba9d5e6aa12ab734e649fea77a504ca3e26f201fcc0c6b017da107962fd09038b4050ebcca2452fca6e7218921c3931b90e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f3b6cd2194f4897eeb84e006ff08fc3
SHA1c86c8d516c26c570603b0226124ca2b465b02011
SHA256565a3e2b2debcd9506d9f97aa96401186d5e9a3fa4c10b864a4552b2c8033169
SHA512d86560c60bd27ace9015890af141cc0dcbf4dc2de4fb67a886cf9772cea445822958696bf6a2bdbb2d0ab8643ea0d0ed7cc1929c58067f5bbb53b92f8bac448c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5810dcac5b2a3c76fdb69d4b54683a6f5
SHA1ea4c753d5f0653b6819b789eb92ece6b865c89fd
SHA2560022f0c95add12bf05376cdf7318b4467237cf89f9aa17d0598da38171f12bd4
SHA512fba9bc8ca92f59747bf55db9f3fc387228a9d403cba8496ddf23b4c231e259b2758eaab7a5b99274c5a0f7b8209fde79265cef0a19b773d1aa6ed1e18f0c1c93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e995207306fa0c924cb5c2e84ebb2993
SHA1a67d746ceff7e61a0387ff0a14028b7c1cb6585f
SHA256c293f0b14f26a5b5ecebffbdb03b39a0def12a3f0a47347b160113526392ed1c
SHA512c1f94a22f16d9acb1f426615fbae40129f8750d657dd727982c3d112b4332b10501d57004c4c0bb3d7f86221271d0efbe6b019596dbf2e07fff60db63b515753
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a5c31e5c7ad20ac2fe9cebba13765bce
SHA111abcb3e0019786ab7ccac8bb3974f9f01b38c8e
SHA25654359efde9fbf96d6d25c95b1b06b2e532b28ce50d4bf072a9a1dbfb4ef8ded0
SHA512a3536a62bf924f5e92c6d06ed720abce9fc60329bbef02106aea88084c32146c241d546d7963fae7fab4c5e92612ce258fdd68dbfd9fa5780ec2afae6ec15073
-
Filesize
310KB
MD5840306ec5a8b7cc9778074846040d181
SHA1351c103174d110ddb0440dc0f96f9f0e45949e3e
SHA256c4e27392025b0f3706c0fa1cad0797a620fef571e387ed7a308484e4e3b3216c
SHA512504d717cc25b4bb36543b72af277a0600867e49f2f1e5d3d33c7e5472d6d93e00a2f54f6199e73ca7fab945bfb42680a1092e33d8550b9aaf07966bf03ddb31b
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
4KB
MD527c8cc067b7d25974f6355167f6b88ec
SHA1b14966175da27c5eebb0d3944d78ca23bbb5c03a
SHA256d40b253fb732f69fd1e7421ecb4fa9a655328ce651b14221a77d6b39a8d560d2
SHA5122d4321643528433d5cfb147ae036db3741c932b0a4facd9e5563e1baae2891fc65137fa20a75fccd2a9a2a31264cde4f38c49a1e618e7d32978a540f79878232
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
310KB
MD51645f35b4cd7dcd3f52ca041c17dbf35
SHA19d8b5705d1f7351bcf4a19bdf2d5f1332363e9b4
SHA256b80fbf528f4d4eba19e87f30f7a4ff56f9f565431856344375874fd87bca5535
SHA5124377c6b763588608e0f204276c0f89b8e674ab162f8a68927bc6e1b88eda787d3825b2c107f6cf995288cef5388dedeea752f4659c13848fa50eac1733bbc672
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp
Filesize43KB
MD5b2557c14337ce83fd30277215f6d138b
SHA151a7234ce6e071f4a90a56163eeda8a6c757d89a
SHA256d1423f6017cde2cb26d12e0726e91aa4436d07e1f9365ae3e3aa2bab3fc93263
SHA51210741786998dc99e66047e4752d99507516b9ebed2eecc813c9fbde9184c201b172873fb2ae9900a325a31d9714b4a0684d395c8aac3084d797299cf5e85ab43
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD549ac70093fd76ca61426c19b02ad1794
SHA17da1f2721053a2d657e163e6088c1cd2aaf9e7ac
SHA256780c0a4c1875e03bda8606e0cdb936c152271db0cd14eccb14a25bd4bc8ae6eb
SHA512fd062640ca59c80e4609481aba1b686c06b2a4522d78257467f8709bdffa89232d3ca680bd43aec949d083b2158b43103d1306b4149eb4c5694733c84f49ca9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5b8cd670b3bd2f0589d00ea31d6b73813
SHA1b8fed49f4f91dce97a02f46c098069d4ce2afdd0
SHA256ad21167a8500caca94b94a38335e6fd448b659d75b32a9f88b461947c9c72916
SHA512e7d382235bbc8c1ec6f72b7fd848d978fb29f959b1ad5ec658669235ceb32bbfecf3e7b82d9a6a7f77353019c8730f770182c48eb758199992f12ea8027c0ec7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\966b574f-cad6-4395-bd04-1730d0d89d45
Filesize745B
MD51aff96969ebc7b10bf7d664782d60906
SHA10f9e2c3e12da8c05612bc14fe7ec6e6bde75db32
SHA25628bb6a71ecd8465bc51247e052270127617cfc8da45a227754a385ca29cd0999
SHA5124fda107219c71cee8cc277fcf8b1e39840be03fb4378000503c1c52bd7c3b81a3210c36e1c83c69f11266a6c0cc8add3aa57663f2db91e33e08f564063d3e263
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\b30472e0-6387-4119-bd2a-99d19957a7a3
Filesize12KB
MD54d436751709c804875164e1341014dd9
SHA1cc92130f3318f777c26e67219e65ac0c3e0c535e
SHA256832067a0657afbfdfef2102a149e23db02cc9bfece79e602761f493d8591d4e3
SHA512c8e4a8a6fdac73d67eec6bc4b6027debc6112af8b94c8af9d280dbd8546976a4598b536be2a5cc2b996f3f837b5139051f48e2d794be63bef770743f269613db
-
Filesize
6KB
MD5cac731b3f42ea071052d201a5d2c9c1c
SHA13df90c719187364592ceca0c66a3099f736eba70
SHA256de36aa33bdb42e2c6ce93285220d99a45ba32f93e36b4c5a06a8dbaaa0d01a3a
SHA5125948ffabee394a97897bcfc59366579d9f26c661f20404f98071a8b2e9eb63825dfe273ff97e425e8c7a6c63b44f9157fe7c0c05b747368a7e2361ab04bc78f9
-
Filesize
6KB
MD54dfe0a56711289d4ff9b03c92cacf8d8
SHA174e2a0dbb2fcc4a7af75c49d65d6900fce6977df
SHA256966cbb3c1ab54890d4a996a52bd00e22ac25d21fbc303c400ea74489cad2c575
SHA512d810883921fdd0f5290664b59f1e7c46ae3b21ec0ed30eab0979d903ff9dfb8ff2f88fc456098747835850a5254a5d4d037fef24fe22f68f8bf982740be31eee
-
Filesize
6KB
MD5a0af9bf73947a99807c83bba134bd3cb
SHA1ee51a1da3cb6b97610b9fe0293f1a7b8a0043c90
SHA256f3fd6096fb342c043e04d9bb963c7cf9a876fbd3e5326888927a06a11b512897
SHA512a66cf2df655d090d8145000f844ab360ce4913ae65c3efcb15be29d74b71236fc5372994510823a0325485e7bc9d8a93a0f81ef25eeead0c9780a46bc48631db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD52d6e33641941162e53097c1f59039574
SHA198ae1e3c345e0ac89bb6f748439a7c5890d54628
SHA25602fc9ebcfb4ca8a5c3ffa8e39ebb52f75440fb1585615a2c53d2437860f87c89
SHA5120dcea6bfcb927e36ad73b042d5d5b389f21f88c82abc618b146f0e10da633a1b3058d08f88b4cd414cf13c792d5935de75383f84868ea365f00ecc11773650b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore.jsonlz4
Filesize842B
MD5916677065d95ae84ad8c4ab543f049b0
SHA18fbc12bdaee2fb628cbdea7201ed7bf8d457b1e2
SHA25654686deaa34ae74cb27b196bd7e5d302639aa33fd9e26f695ef99174adeb779d
SHA51253085c08fff70e0c057d424ac75cc22800ce2d18f732cbcd803dfe9f8981de289851e1c9e4e51696862caafcaa8bdabdc371c25fd56bcbcbf4f250208edd523c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5e8e64cb5fcc79df45cc8a13f27fa6bb6
SHA19681f0339dda3a8eb53381893e8e1afeaa9ba5d1
SHA256d2494e2eb46b2c5c1e83d2cf5bc33c50ff7679556a0da7e57ff12957bd304975
SHA5122ff624f6c457cc233c96197fa055822399cad8301cb5fde9ef97181d1911be53257f104b4e7eb26f5ebe1dc1e549ba74bdeb0fcd3401a6bc32c2890184031096
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e