darkcomet | ef483723ac88d655dfc5f08537cbc7ca6bef3ca2c2f34fd1ade321156f4efe08

Analysis

max time kernel
175s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 13:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5DBus.dll
Size

426KB
MD5

0e8ff02d971b61b5d2dd1ac4df01ae4a
SHA1

638f0b46730884fa036900649f69f3021557e2fe
SHA256

1aa70b106a10c86946e23caa9fc752dc16e29fbe803bba1f1ab30d1c63ee852a
SHA512

7ba616ede66b16d9f8b2a56c3117db49a74d59d0d32eaa6958de57eac78f14b1c7f2dbba9eae4d77937399cf14d44535531baf6f9db16f357f8712dfaae4346a
SSDEEP

6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN

Score

10^/10

darkcomet remcos host agilenet aspackv2 defense_evasion discovery evasion persistence ransomware rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exewscript.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
5356	bcdedit.exe
5236	bcdedit.exe

Enables test signing to bypass driver trust controls 1 TTPs 1 IoCs

Allows any signed driver to load without validation against a trusted certificate authority.

defense_evasion

Code Signing Policy Modification

T1553.006

Processes:

bcdedit.exe

pid	Process
5236	bcdedit.exe

Sets file to hidden 1 TTPs 26 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
5920	attrib.exe
5148	attrib.exe
4188	attrib.exe
3616	attrib.exe
1820	attrib.exe
1656	attrib.exe
5224	attrib.exe
3164	attrib.exe
840	attrib.exe
4188	attrib.exe
5236	attrib.exe
5452	attrib.exe
5912	attrib.exe
5460	attrib.exe
5676	attrib.exe
5668	attrib.exe
3228	attrib.exe
4516	attrib.exe
180	attrib.exe
2976	attrib.exe
1344	attrib.exe
2856	attrib.exe
3980	attrib.exe
3688	attrib.exe
4708	attrib.exe
4532	attrib.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral12/files/0x0007000000023dab-323.dat	aspack_v212_v242
behavioral12/files/0x0009000000023d3c-367.dat	aspack_v212_v242

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral12/memory/4072-787-0x0000000000070000-0x000000000009A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Blackkomet.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exeRemcos.exeUserdata.exenotepad.exewinupdate.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
76	raw.githubusercontent.com
77	raw.githubusercontent.com

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Remcos.exeBlackkomet.exewinupdate.exewinupdate.exeMrsMajor3.0.exewscript.exewinupdate.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Blackkomet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winupdate.exe

Drops file in System32 directory 27 IoCs

Processes:

winupdate.exewinupdate.exeBlackkomet.exewinupdate.exenotepad.exeRemcos.exenotepad.exenotepad.exeattrib.exenotepad.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen:$DATA	Remcos.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Blackkomet.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Userdata.exe

description	pid	Process	procid_target
PID 3600 set thread context of 2852	3600	Userdata.exe	188

Executes dropped EXE 13 IoCs

Processes:

Curfun.exeAvoid.exeLauncher.exeTime.exeWindowsUpdate.exeRemcos.exeBlackkomet.exeUserdata.exewinupdate.exewinupdate.exeMrsMajor3.0.exewinupdate.exeeulascr.exe

pid	Process
2580	Curfun.exe
408	Avoid.exe
4688	Launcher.exe
2776	Time.exe
3540	WindowsUpdate.exe
1932	Remcos.exe
3704	Blackkomet.exe
3600	Userdata.exe
3596	winupdate.exe
3164	winupdate.exe
3564	MrsMajor3.0.exe
3084	winupdate.exe
4072	eulascr.exe

Loads dropped DLL 1 IoCs

Processes:

eulascr.exe

pid	Process
4072	eulascr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2836	2708	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

notepad.exeattrib.exeattrib.exewinupdate.exenotepad.exewinupdate.exeattrib.exenotepad.execmd.execmd.exenotepad.execmd.exereg.exeattrib.exeAvoid.exeTime.exeWindowsUpdate.exePING.EXEnotepad.exeCurfun.exeLauncher.exereg.exeattrib.exeRemcos.exeBlackkomet.exeattrib.exeattrib.exeattrib.exeUserdata.exenotepad.exewinupdate.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Time.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Curfun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Userdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
4856	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

Processes:

Blackkomet.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
2204	reg.exe
3276	reg.exe

NTFS ADS 10 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 302000.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 833274.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 757733.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 767088.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 738442.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 755975.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 48178.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 344425.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 549081.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 976328.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4856	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeWindowsUpdate.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	Process
756	msedge.exe
756	msedge.exe
1512	msedge.exe
1512	msedge.exe
1260	identity_helper.exe
1260	identity_helper.exe
4588	msedge.exe
4588	msedge.exe
2012	msedge.exe
2012	msedge.exe
3932	msedge.exe
3932	msedge.exe
916	msedge.exe
916	msedge.exe
224	msedge.exe
224	msedge.exe
3540	WindowsUpdate.exe
3540	WindowsUpdate.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
3980	msedge.exe
3980	msedge.exe
532	msedge.exe
532	msedge.exe
4876	msedge.exe
4876	msedge.exe
1284	msedge.exe
1284	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	Process
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Time.exeBlackkomet.exewinupdate.exewinupdate.exe

description	pid	Process
Token: SeSystemtimePrivilege	2776	Time.exe
Token: SeSystemtimePrivilege	2776	Time.exe
Token: SeSystemtimePrivilege	2776	Time.exe
Token: SeIncreaseQuotaPrivilege	3704	Blackkomet.exe
Token: SeSecurityPrivilege	3704	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	3704	Blackkomet.exe
Token: SeLoadDriverPrivilege	3704	Blackkomet.exe
Token: SeSystemProfilePrivilege	3704	Blackkomet.exe
Token: SeSystemtimePrivilege	3704	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	3704	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	3704	Blackkomet.exe
Token: SeCreatePagefilePrivilege	3704	Blackkomet.exe
Token: SeBackupPrivilege	3704	Blackkomet.exe
Token: SeRestorePrivilege	3704	Blackkomet.exe
Token: SeShutdownPrivilege	3704	Blackkomet.exe
Token: SeDebugPrivilege	3704	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	3704	Blackkomet.exe
Token: SeChangeNotifyPrivilege	3704	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	3704	Blackkomet.exe
Token: SeUndockPrivilege	3704	Blackkomet.exe
Token: SeManageVolumePrivilege	3704	Blackkomet.exe
Token: SeImpersonatePrivilege	3704	Blackkomet.exe
Token: SeCreateGlobalPrivilege	3704	Blackkomet.exe
Token: 33	3704	Blackkomet.exe
Token: 34	3704	Blackkomet.exe
Token: 35	3704	Blackkomet.exe
Token: 36	3704	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	3596	winupdate.exe
Token: SeSecurityPrivilege	3596	winupdate.exe
Token: SeTakeOwnershipPrivilege	3596	winupdate.exe
Token: SeLoadDriverPrivilege	3596	winupdate.exe
Token: SeSystemProfilePrivilege	3596	winupdate.exe
Token: SeSystemtimePrivilege	3596	winupdate.exe
Token: SeProfSingleProcessPrivilege	3596	winupdate.exe
Token: SeIncBasePriorityPrivilege	3596	winupdate.exe
Token: SeCreatePagefilePrivilege	3596	winupdate.exe
Token: SeBackupPrivilege	3596	winupdate.exe
Token: SeRestorePrivilege	3596	winupdate.exe
Token: SeShutdownPrivilege	3596	winupdate.exe
Token: SeDebugPrivilege	3596	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3596	winupdate.exe
Token: SeChangeNotifyPrivilege	3596	winupdate.exe
Token: SeRemoteShutdownPrivilege	3596	winupdate.exe
Token: SeUndockPrivilege	3596	winupdate.exe
Token: SeManageVolumePrivilege	3596	winupdate.exe
Token: SeImpersonatePrivilege	3596	winupdate.exe
Token: SeCreateGlobalPrivilege	3596	winupdate.exe
Token: 33	3596	winupdate.exe
Token: 34	3596	winupdate.exe
Token: 35	3596	winupdate.exe
Token: 36	3596	winupdate.exe
Token: SeIncreaseQuotaPrivilege	3164	winupdate.exe
Token: SeSecurityPrivilege	3164	winupdate.exe
Token: SeTakeOwnershipPrivilege	3164	winupdate.exe
Token: SeLoadDriverPrivilege	3164	winupdate.exe
Token: SeSystemProfilePrivilege	3164	winupdate.exe
Token: SeSystemtimePrivilege	3164	winupdate.exe
Token: SeProfSingleProcessPrivilege	3164	winupdate.exe
Token: SeIncBasePriorityPrivilege	3164	winupdate.exe
Token: SeCreatePagefilePrivilege	3164	winupdate.exe
Token: SeBackupPrivilege	3164	winupdate.exe
Token: SeRestorePrivilege	3164	winupdate.exe
Token: SeShutdownPrivilege	3164	winupdate.exe
Token: SeDebugPrivilege	3164	winupdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

msedge.exeWindowsUpdate.exe

pid	Process
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
3540	WindowsUpdate.exe
3540	WindowsUpdate.exe
3540	WindowsUpdate.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MrsMajor3.0.exe

pid	Process
3564	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1512 wrote to memory of 4696	1512	msedge.exe	90
PID 1512 wrote to memory of 4696	1512	msedge.exe	90
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 4428	1512	msedge.exe	91
PID 1512 wrote to memory of 756	1512	msedge.exe	92
PID 1512 wrote to memory of 756	1512	msedge.exe	92
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93
PID 1512 wrote to memory of 1760	1512	msedge.exe	93

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Views/modifies file attributes 1 TTPs 26 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	Process
5912	attrib.exe
5920	attrib.exe
5148	attrib.exe
3980	attrib.exe
4188	attrib.exe
4532	attrib.exe
5224	attrib.exe
5460	attrib.exe
2976	attrib.exe
5236	attrib.exe
5452	attrib.exe
2856	attrib.exe
3616	attrib.exe
1820	attrib.exe
4708	attrib.exe
180	attrib.exe
3164	attrib.exe
1656	attrib.exe
5676	attrib.exe
1344	attrib.exe
5668	attrib.exe
3228	attrib.exe
4188	attrib.exe
4516	attrib.exe
840	attrib.exe
3688	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ZRK 1.1 UC\src\PyQt5\Qt5\bin\Qt5DBus.dll",#1
1⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4b7546f8,0x7fff4b754708,0x7fff4b754718
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2008 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3000 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3924 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9284120407411970212,711362860052323344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2600

C:\Users\Admin\Downloads\Curfun.exe
"C:\Users\Admin\Downloads\Curfun.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580

C:\Users\Admin\Downloads\Avoid.exe
"C:\Users\Admin\Downloads\Avoid.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4688

C:\Users\Admin\Downloads\Time.exe
"C:\Users\Admin\Downloads\Time.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Users\Admin\Downloads\WindowsUpdate.exe
"C:\Users\Admin\Downloads\WindowsUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3540

C:\Users\Admin\Downloads\Remcos.exe
"C:\Users\Admin\Downloads\Remcos.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1228
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4856
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3600
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4552
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3276
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:2852

C:\Users\Admin\Downloads\Blackkomet.exe
"C:\Users\Admin\Downloads\Blackkomet.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in System32 directory
- Modifies WinLogon for persistence
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3704
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3956
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3228
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2856
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1996
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4516
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4188
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Adds Run key to start application
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3616
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Adds Run key to start application
      Checks computer location settings
      Drops file in System32 directory
      Modifies WinLogon for persistence
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3084
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4156
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1820
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3980
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        
        PID:3640
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:3728
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4708
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3688
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4188
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4532
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1344
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5236
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5460
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5676
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5920
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5148
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        14⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        13⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        12⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        11⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        10⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        9⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        8⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        7⤵
        
        PID:380
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        
        PID:4336
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3600
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\SysWOW64\notepad.exe
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 88
    3⤵
    - Program crash
    PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2708 -ip 2708
1⤵
PID:2600

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3564
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\929.tmp\92A.tmp\92B.vbs //Nologo
  2⤵
  - UAC bypass
  - Checks computer location settings
  - System policy modification
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\929.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\929.tmp\eulascr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4072

C:\Users\Admin\Downloads\Spark.exe
"C:\Users\Admin\Downloads\Spark.exe"
1⤵
PID:932
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" -set nointegritychecks on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5356
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" -set testsigning on
  2⤵
  - Modifies boot configuration data using bcdedit
  - Enables test signing to bypass driver trust controls
  PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Code Signing Policy Modification

T1553.006

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\30a417b5-444b-4949-847c-428cf82db6c4.tmp

Filesize
10KB

MD5
92130d38c707e5cf14576bf1e1f053c4

SHA1
dda6f155eef348a0655c8b649dfa7cf5fd600d1e

SHA256
0b531b43cd8596b2dc4a343d2496fcc0b3dd1e1f934700289f7658b5179e07ab

SHA512
94040d36530fba0a52c46106610d1714b4f128b77904cc228a37eeb230eb94be5f09ae06006df5d4910980ee20016f8018a58a9657c46f332e41c39036399711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f7bc21714d8ccfd1fa0865f48de3a24c

SHA1
acdc624e913fc42bd70f29aa573eb5d2f12db750

SHA256
e2e42a257cb7583957910324dcc33d09e35b3ef1e07900b12b289bd33408bed1

SHA512
92cdab77af721c6befdd2c77eaabd44db03ac9a0a24ab69027c85507188e03eeb1557a4bdab44823ffa3f8929a93aa52c13b4915e9c3aa1d186ed4ef935a7b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
25426c88792c6cbb6470c1f4d600f44e

SHA1
0acd61dab22d9d5a87ea159673e4a2863f942fe9

SHA256
9e24fa369d8f682a7d245a832fd4f763cb12e357563ab3fbf650990e002c7ba1

SHA512
4c9a4659b989f1d373cf9ba40e21c6603a17f7f884919a7baaf272e668faf95cbe23112888828f6a2c3f56c635e0f227b09cb0ff3b7364e6ac5f1bea80e8b3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c3a7ee7502546e00378b4e7e392ae4f

SHA1
4a71eea0e02466a849c2321e13b3bd784b1b273b

SHA256
0b023a1746ea06b8d02493ae0465fd116d03ff761f0302b63a2e21db0be7d944

SHA512
07843de4f1492fd23f9a1e40065585154d146bdd69760ffa7cb8b15ab51aab3bb477f8a0ebac9a31b4bbc66c27231a07f59bc50d71e015cf9f87ecab9f7e777e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2f3253c583ce6f1685ddc04aa23a14a4

SHA1
080373a14e0d53bac02c72189ccb901832b3f45e

SHA256
b9f34ab4bc0c452fb1866703314b3bb5c88909c7cbf27e89bf0b8cc545a53766

SHA512
33c93dc8f6189a943746540630cfedfdd3be34c3659102d2a8689d422a9aff90fce48f10e232f0e23ba3828ed0698c7da5d9e9e2c4fa10962b869385275f3b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ecae22a2d3a02732309571357a22001f

SHA1
a45685def1608fca396e1a9f9bc968071a1639a2

SHA256
65ed8417ef87c70d0a4755efa44b900acfbde57a9d5fe3d5c73415e5c5d111d0

SHA512
efd6b6125d76a828db8ac861e290ec62858869aa1e3a37feb2648b9ecbc59b344f0e28ea8152531b063c113f71e1288dce992bc7109e6244818b202d83fc982b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c3f122bded4665b93ec1c68fc49e9a0a

SHA1
ba65ba551b27673b41263bc506d3cf8bd77e769f

SHA256
5cdbaea8e7f80cda76304939b9f076a73d61db7b173a389190f15e176f661cf1

SHA512
3a3375a0a0bf18f5bc9f1aba697b87ebce96e6b8ae7c9fdc3d2c45a9ab6cb5ee4a8bafd70b85d7dd341dead696de35d8665a1280971c2cdc17128d6f4adba0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0f8a7da046eb6a4d299255066e599edf

SHA1
3802ee009a00fc0c5ae2336bad2db6a53bc92c39

SHA256
5a617964c07af90288c44e9f19ed3400eeb8939554f325551b5865c4f07774b8

SHA512
86c9ebf56f3bf48aa8ad63168bf061a4465f6e0568a4206cd75c6285fea75b79833144da74a3d263620f187e9c88e7984a8234e7a950d57422566bdc97fcc3f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5d39b8d72144612d891f26abbb0ad222

SHA1
3a124dd7153444f7e657e86f59a6d1164d698b34

SHA256
83f069cc3fa394ab4ad4227aecee257abf4414d46ba25b3138c907fa60a32cf7

SHA512
3f9e22a1f7848093c80ff021330c9dfb0edfbcc101404e207a1a1ef0f438f61de56586fd3abbd914bed872055f7bd43875b1d13ae683c20cf0becd48fd8fff4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
48726d98ac25afaa9a815e520f764a86

SHA1
8bf0f4e7e2991ea9b2c295e01364e39adede977f

SHA256
7e98511e1a3839f01edb53912126eb833c5cdcedad9744b29d676d5f591082b2

SHA512
fc171a6006db69e44b34b711365537a842171dde82e95d314dae27b622cc3b22cf21bb23cac63baae9fab85638d16e7bfef9ba5d4ff20cd2880542ab01538ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a256e6c730027ee2b7292cdefe0c0e3

SHA1
8d5d8347374532d4ae982cead46d2a69de1ea5bf

SHA256
3c91e1e9adb8e0bfa9e46d14b6ef42f5b56851a340258c64eb3b2f1b3f853953

SHA512
77e8f7bd616abf161895bed932c6fe981aa6a77e3cf10d7c96dabff0ee085485460c7385fb3edde7bc3e10309a07b827c444dc8480fc321046c1bccab9daf6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f33c11f16b7f4a417bb83c62b4986ac

SHA1
4c6b78866d99088beb18056002983befbdf51afa

SHA256
3c3980da280df007ee0153612161606bbd87bf45ca982a2d7f9030010e183bef

SHA512
8880d902039435e5b8e297e2b943dbcddc38fdfd9aa04615b66599be9d009205c31ae77af45fc1258a33aa24ee094577700628e3af2c0f0152a6d3e65d488820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1353a0a39e17bdda1022c43251b0bc5c

SHA1
5c871c9dc23ec88e3774ec6bab82e96c79ca1fb0

SHA256
c1e3ee44ac8915478626eeaeb6a6b88a431cfa110ee8fe0409d9a15a1db81351

SHA512
70695e039720a25cf952b4b328ffdd176cf422d9b2012d609d9a9c682fa41cc62a3beb90ea8ae268b048152498779b958707f295368f58ce037af8efc3008ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
11fbf8b19fa6157caa6b9e7701c422e1

SHA1
a1b10fefa004bb070a7a22c5fd7839175a6c33fd

SHA256
40ffd0ce6830dc3c6866d279cbfaa8c8dddcb6d0cf44c76846e5e467c4575862

SHA512
65ac362b74b6ea0c7fe939ebc0d03f07cbef7fbed32884959eca1d50e57bb6cff084d3c337ecde34631cc4c8b40f7db58b7ea8d8ba92e4313436e872244be4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f2b8b923c150f51d3dbda6f956783c19

SHA1
7d7025ff0a7d229a8ffda893a53e4554a641735e

SHA256
32eaf63debcb56b2b1e4e6b02179bbe603c1b5e1bb3296e7b2dd3bbaf640f4dc

SHA512
da7ad4abfce7ae7d08d10ab3c4899ab4b350e6ab08a9956c8993778ed89d6e8780a706336bfe5bcf5764beb923027a15d3585815bfe1150cd172642e378dcd9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f39b544bee6b5897198ec6a6cec00fef

SHA1
b056aed3148cc90a889336ed84f301519c63d162

SHA256
8930b5430fa8e25376a82c3c8131db56adaee7b861ab924406efc9ac7520a6bd

SHA512
48a05f8cbde3a70a95b1d89660325f10e44994bd00f7ea1f6fc865a723877e2886705021a7454f9d907c5559a984e9a281a64746c3e59dab8bef01894c7a3431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1fe93c30b00910ec6dba6a35ddcdef3

SHA1
8c0d3a1a5c2d76a5e6e6dc9e240d6e4ea77882e5

SHA256
1fc0218248cdcddddb9f2ab9040cd7a1cb154032a219e26248f3f2ebfe79f0a8

SHA512
8b9c79088471124a1e224e383a8e1c72cf6299e9828ae612df669fa195e847d1b04e7d6071021edfdd6eec4e228f3422b633a3ad9f3945d04b684e7d9f1b90b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d30f.TMP

Filesize
1KB

MD5
1cb20d20e43743b36c89d58574784e2d

SHA1
4162a37f92af9067605c46db9ad1cf6f4f5f413a

SHA256
473db6422ed5f0dd7ea01e59bc2ba59334788c072958a3e20b923f909dc2f790

SHA512
d97ccec093e6636dad8035c883c738cd9399c2f4bbaf3c1a93488d7bf6fd59ed9b0ae6fe5db9e2cad3da6dd9e381463e73e0c3bc29772630c0d7f742c28e6881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a90231a048ab9118709574e0de9f2039

SHA1
5645f92e1c5a7c7a143e435e45d9aa8cc9733c0c

SHA256
e2fc6ef2036ba85dc7ebedb898adb94d66f83eae3bc3a0bea2f55c886238872e

SHA512
e586239612f7b2f519155784ee1c23702cc9e8bb5c882240bcad1ca618f84062a874ffb833f85ed51e48a8dae6b6b560a970696e2d51f3270af7722c32a0c193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
02423d02913df0ef71de82a75c1d4c9e

SHA1
827be3e59fe8c374dcfce76a5e05c4f67ab193d8

SHA256
b48a685bff608be0532cdab37c5cf2c23036ca3a52ccabf9c106909ef8aa5a29

SHA512
6a0118b42c74a285c1cc243f47c8e2133efd809763cec4b71755b913ec44794e9292d91ce4cce5a9b3ac80b20e854e665b59702f03f81f8d63702f7dd39dcb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bafdce7ee07b58480a360d4c39cd0880

SHA1
17170d72657eb8ba12232323365beaea18d7d7ef

SHA256
4fba32785e9c5640632cf4bc1fcd536c9b657cbd81fad244b2d29eb6e04b4147

SHA512
28afa50c31a904249f40238891195e3b6fe235c87699aecee909f44d9f432b070a7ed10acf275172327991fc5bee7ed3c697de552078b408d26d268b029a10fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
135B

MD5
90022f82afe48963cc42547209f18f96

SHA1
e60698c77e7df4cccc493f2cfa6d76f7553d71e2

SHA256
046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc

SHA512
6743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 302000.crdownload

Filesize
138KB

MD5
0b3b2dff5503cb032acd11d232a3af55

SHA1
6efc31c1d67f70cf77c319199ac39f70d5a7fa95

SHA256
ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b

SHA512
484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 344425.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 48178.crdownload

Filesize
760KB

MD5
515198a8dfa7825f746d5921a4bc4db9

SHA1
e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

SHA256
0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

SHA512
9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 549081.crdownload

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 738442.crdownload

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 755975.crdownload

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 757733.crdownload

Filesize
111KB

MD5
9d0d2fcb45b1ff9555711b47e0cd65e5

SHA1
958f29a99cbb135c92c5d1cdffb9462be35ee9fd

SHA256
dc476ae39effdd80399b6e36f1fde92c216a5bbdb6b8b2a7ecbe753e91e4c993

SHA512
8fd4ce4674cd52a3c925149945a7a50a139302be17f6ee3f30271ebe1aa6d92bcb15a017dca989cd837a5d23cd56eaacc6344dc7730234a4629186976c857ca9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 757733.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 767088.crdownload

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 833274.crdownload

Filesize
197KB

MD5
7506eb94c661522aff09a5c96d6f182b

SHA1
329bbdb1f877942d55b53b1d48db56a458eb2310

SHA256
d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

SHA512
d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 976328.crdownload

Filesize
495KB

MD5
181ee63003e5c3ec8c378030286ed7a2

SHA1
6707f3a0906ab6d201edc5b6389f9e66e345f174

SHA256
55bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe

SHA512
e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92

Download Submit
\??\pipe\LOCAL\crashpad_1512_GHJBQUGUNOGTMSXN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/408-536-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/932-800-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/932-797-0x00000000002B0000-0x0000000000330000-memory.dmp

Filesize
512KB

Download
memory/932-798-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/932-852-0x0000000004CD0000-0x0000000004D24000-memory.dmp

Filesize
336KB

Download
memory/2580-528-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2580-527-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2708-772-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2776-592-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2776-723-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2776-541-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2852-766-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3084-795-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3164-785-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3540-542-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/3540-539-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/3596-777-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3640-803-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3704-773-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3704-806-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3776-809-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3956-738-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4072-801-0x000000001D590000-0x000000001DAB8000-memory.dmp

Filesize
5.2MB

Download
memory/4072-793-0x00007FFF48CB0000-0x00007FFF48DFE000-memory.dmp

Filesize
1.3MB

Download
memory/4072-787-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download
memory/4072-799-0x000000001CE90000-0x000000001D052000-memory.dmp

Filesize
1.8MB

Download
memory/4516-812-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4688-533-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5156-816-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5364-820-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5596-832-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5840-845-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads