darkcomet | hxxps://github[.]com/zxo2004/DarkComet-RAT-5[.]3[.]1

Analysis

max time kernel
363s
max time network
368s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/zxo2004/DarkComet-RAT-5.3.1

Score

10^/10

darkcomet discovery rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Executes dropped EXE 6 IoCs

Processes:

UPX.exedangeraa.exedangeraa.exedangeraa.exedadanger.exedangeraa.exe

pid process

4884 UPX.exe
5872 dangeraa.exe
5672 dangeraa.exe
1564 dangeraa.exe
6000 dadanger.exe
2068 dangeraa.exe

pid	process
4884	UPX.exe
5872	dangeraa.exe
5672	dangeraa.exe
1564	dangeraa.exe
6000	dadanger.exe
2068	dangeraa.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\UPX.exe	upx
behavioral1/memory/4884-383-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral1/memory/4884-390-0x0000000000400000-0x000000000057E000-memory.dmp	upx
C:\Users\Admin\Downloads\dangeraa.exe	upx
behavioral1/memory/5872-442-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5672-446-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5672-447-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5872-448-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5872-450-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1564-451-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5872-453-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5872-457-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2068-470-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2068-471-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/5872-475-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dangeraa.exedadanger.exedangeraa.exeDarkComet.exeUPX.exedangeraa.exedangeraa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dangeraa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dadanger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dangeraa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dangeraa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dangeraa.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 55 IoCs

Processes:

DarkComet.exemsedge.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	DarkComet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	DarkComet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	DarkComet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	DarkComet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	DarkComet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	DarkComet.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "6"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	DarkComet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	DarkComet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	DarkComet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	DarkComet.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4428	msedge.exe
4428	msedge.exe
2216	msedge.exe
2216	msedge.exe
440	identity_helper.exe
440	identity_helper.exe
5852	msedge.exe
5852	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DarkComet.exe

pid process

5696 DarkComet.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2216 msedge.exe
2216 msedge.exe
2216 msedge.exe
2216 msedge.exe
2216 msedge.exe
2216 msedge.exe
2216 msedge.exe

pid	process
5696	DarkComet.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dangeraa.exedangeraa.exedangeraa.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5872	dangeraa.exe
Token: SeSecurityPrivilege	5872	dangeraa.exe
Token: SeTakeOwnershipPrivilege	5872	dangeraa.exe
Token: SeLoadDriverPrivilege	5872	dangeraa.exe
Token: SeSystemProfilePrivilege	5872	dangeraa.exe
Token: SeSystemtimePrivilege	5872	dangeraa.exe
Token: SeProfSingleProcessPrivilege	5872	dangeraa.exe
Token: SeIncBasePriorityPrivilege	5872	dangeraa.exe
Token: SeCreatePagefilePrivilege	5872	dangeraa.exe
Token: SeBackupPrivilege	5872	dangeraa.exe
Token: SeRestorePrivilege	5872	dangeraa.exe
Token: SeShutdownPrivilege	5872	dangeraa.exe
Token: SeDebugPrivilege	5872	dangeraa.exe
Token: SeSystemEnvironmentPrivilege	5872	dangeraa.exe
Token: SeChangeNotifyPrivilege	5872	dangeraa.exe
Token: SeRemoteShutdownPrivilege	5872	dangeraa.exe
Token: SeUndockPrivilege	5872	dangeraa.exe
Token: SeManageVolumePrivilege	5872	dangeraa.exe
Token: SeImpersonatePrivilege	5872	dangeraa.exe
Token: SeCreateGlobalPrivilege	5872	dangeraa.exe
Token: 33	5872	dangeraa.exe
Token: 34	5872	dangeraa.exe
Token: 35	5872	dangeraa.exe
Token: 36	5872	dangeraa.exe
Token: SeIncreaseQuotaPrivilege	5672	dangeraa.exe
Token: SeSecurityPrivilege	5672	dangeraa.exe
Token: SeTakeOwnershipPrivilege	5672	dangeraa.exe
Token: SeLoadDriverPrivilege	5672	dangeraa.exe
Token: SeSystemProfilePrivilege	5672	dangeraa.exe
Token: SeSystemtimePrivilege	5672	dangeraa.exe
Token: SeProfSingleProcessPrivilege	5672	dangeraa.exe
Token: SeIncBasePriorityPrivilege	5672	dangeraa.exe
Token: SeCreatePagefilePrivilege	5672	dangeraa.exe
Token: SeBackupPrivilege	5672	dangeraa.exe
Token: SeRestorePrivilege	5672	dangeraa.exe
Token: SeShutdownPrivilege	5672	dangeraa.exe
Token: SeDebugPrivilege	5672	dangeraa.exe
Token: SeSystemEnvironmentPrivilege	5672	dangeraa.exe
Token: SeChangeNotifyPrivilege	5672	dangeraa.exe
Token: SeRemoteShutdownPrivilege	5672	dangeraa.exe
Token: SeUndockPrivilege	5672	dangeraa.exe
Token: SeManageVolumePrivilege	5672	dangeraa.exe
Token: SeImpersonatePrivilege	5672	dangeraa.exe
Token: SeCreateGlobalPrivilege	5672	dangeraa.exe
Token: 33	5672	dangeraa.exe
Token: 34	5672	dangeraa.exe
Token: 35	5672	dangeraa.exe
Token: 36	5672	dangeraa.exe
Token: SeIncreaseQuotaPrivilege	1564	dangeraa.exe
Token: SeSecurityPrivilege	1564	dangeraa.exe
Token: SeTakeOwnershipPrivilege	1564	dangeraa.exe
Token: SeLoadDriverPrivilege	1564	dangeraa.exe
Token: SeSystemProfilePrivilege	1564	dangeraa.exe
Token: SeSystemtimePrivilege	1564	dangeraa.exe
Token: SeProfSingleProcessPrivilege	1564	dangeraa.exe
Token: SeIncBasePriorityPrivilege	1564	dangeraa.exe
Token: SeCreatePagefilePrivilege	1564	dangeraa.exe
Token: SeBackupPrivilege	1564	dangeraa.exe
Token: SeRestorePrivilege	1564	dangeraa.exe
Token: SeShutdownPrivilege	1564	dangeraa.exe
Token: SeDebugPrivilege	1564	dangeraa.exe
Token: SeSystemEnvironmentPrivilege	1564	dangeraa.exe
Token: SeChangeNotifyPrivilege	1564	dangeraa.exe
Token: SeRemoteShutdownPrivilege	1564	dangeraa.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

msedge.exeDarkComet.exe

pid	process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

msedge.exeDarkComet.exe

pid	process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

DarkComet.exe

pid process

5696 DarkComet.exe
5696 DarkComet.exe
5696 DarkComet.exe
5696 DarkComet.exe
5696 DarkComet.exe

pid	process
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe
5696	DarkComet.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2216 wrote to memory of 4588	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 4588	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 1372	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 4428	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 4428	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe
PID 2216 wrote to memory of 2952	2216	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/zxo2004/DarkComet-RAT-5.3.1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf7a146f8,0x7ffbf7a14708,0x7ffbf7a14718
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,9843843091140981161,8215943154868336208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6096

C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\DarkComet.exe
"C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\DarkComet.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5696
- C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\UPX.exe
  "C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\UPX.exe" -9 "C:\Users\Admin\Downloads\dangeraa.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4884

C:\Users\Admin\Downloads\dangeraa.exe
"C:\Users\Admin\Downloads\dangeraa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5872

C:\Users\Admin\Downloads\dangeraa.exe
"C:\Users\Admin\Downloads\dangeraa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5672

C:\Users\Admin\Downloads\dangeraa.exe
"C:\Users\Admin\Downloads\dangeraa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Users\Admin\Downloads\dadanger.exe
"C:\Users\Admin\Downloads\dadanger.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6000

C:\Users\Admin\Downloads\dangeraa.exe
"C:\Users\Admin\Downloads\dangeraa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
eeeeb64feca3507f5d06c1d3a3e2e5f1

SHA1
d2c5140a679ab8ce93cc6423e1b301b2edf07b25

SHA256
a6fcfc9c798f1bbd4f24f9d0defc28867d14cc31f892da4fd5d5f417595547c3

SHA512
c888d5cefe7413ecb45cdca7f695acd01e9db50d02f3c33bb8173b13dae2823b30643f7a6c28bedefa4e0a4ddf07f43a58418bc1ee68e178700a6f245f6d95ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
a6d346f58cbec0a6e4015327b25f1537

SHA1
750056e65a8b1c20b1a6051f5adcdf35821a6ac1

SHA256
1a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56

SHA512
74e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4eed4ea5acb3356c324dcb7cdcaef2b9

SHA1
7332a8c9551e13fd5a3c4a0c0f67681a469b8844

SHA256
d1f1527e6b478eb502eb05c582f16cc46dce905a3184a3d4f0b8877b81f4eb1c

SHA512
a74de60776aac9a82212af037c971dd50012b48316447d100fd1f80e2b22bd26b09b91b05bac9afe3dc77310b77892b948c05cd069fcadc9825765df7156095d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f075375eb5c1a09411e4873e955206e2

SHA1
ea5a758c902aaa1e26e8f0f0f9d8ee94030ef7b2

SHA256
43ea6a0ce7d358b686957af3f22401090a7c5f43abed1872a9ee37d5f4d13603

SHA512
e6fff3e495dfc1df65c3fd433cfc987ca7d6f69f86492eee05a46928fec92685bfc2477f32af514fee4d13874537a988e153f00e7b9fa0a01ef5248811debea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dd98ca46bb525c5cd80910cb7f800f93

SHA1
3f50012daa161b5cac30acac39dc30e6d6bc1b13

SHA256
fc6e040c235eec3642dd429fdeb881714ffd613280e0e8034cb5383f6843d7a4

SHA512
ddce2be15934f60680b14e64702e46dd1d9bdd8ee5eb3feb791e7de77d969189aca33ee1e196b31d1bf0a28415ba5636c204db387e3d798a7d16d2d70e32a094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e572525469d45b4b62302b6bc11e1b4

SHA1
81c51209619ae4b4bb08bf77d5eb66ef3c959024

SHA256
e01691b260c70d4cca8d7ebf27ee05872da0e2134a137420545b92db26211002

SHA512
60d3ad86e8f3499010056ab080c362a95b0e9fd7b9ffc3153d5bc9b23ddc07097f59ff064aa9048f066a170a75a6199d060629b15c2237227fe0afcce0fadf6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e020dc00a387a236af4121fefaf1f952

SHA1
6c0ca1fbcaa3d8f6eee88088b111caccb4d5509f

SHA256
63c8984bfcf3ffdf997793a64bd89e2e54f660ac2637435a3286b7cc1534dd68

SHA512
8156828d1e187fbe38c3be5dc605563b2a9172c1a6133fe3dc7f086f26677d0c0fb05aa1632f7aabc31dad1fcd935bdf63e14acbd433eed8ccac9f524999a945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5842c1.TMP

Filesize
874B

MD5
e3e3b8f9b09dd473aac390945d9b48b5

SHA1
d3ef4634242cf9819eb4b37517a525e91fca3fde

SHA256
a955e58166cc9b02fb4a0c5baa58190e1472a015ad7798732f065b124c8cc0dd

SHA512
0d6c350bd0550e1f9e4c376c5df0fd2c1d4944151231b8560fb7471c66836bd5f4c2e2c45a356b93ee9ede5a20ac2f4dc2462b2cb9a5cc88b23c561c2a02496c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
74f2d5e484a57863f75b5f795dc158da

SHA1
fc382d9db4d91619adf944aca480a775ea319c07

SHA256
481127f6f79931b254099db2d2245167e4b93cff95c567fceaa4bccff9b67996

SHA512
8bd7e96abea128f1161bdeb3ef980cc90d10d418f9bfc9aad56f2dd253b2aa8269ef6acb659508259c3e0574e204549400f9c03b51eef97c466e8d9279031603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
488680f10c138d3c571deed643ce5c34

SHA1
a281d7d2ee31c9fd2319a4220b4b84905c26cc02

SHA256
0ef35c5d0a4423ae7d099bbb056c99c3e8e17761943d181de9e5900cff479d09

SHA512
a7f0a25cfa230167a51e5e84356b9086d48e05319a5e8d8e294fbb425ac377031d8216de234b6c5005178984b1502ca515dc4bd2de947f183c5d5b0b31f3a1e1

Download Submit
C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\INI\Settings-01.ini

Filesize
776B

MD5
6aa48eef538628d21f92ebc90719ccc8

SHA1
469bbdd63913a5308096e48a99b87376d2614872

SHA256
7737b3bc4d67ad5360e833055f77136ea7e5f1578f8f65793b4f3aa893aef27b

SHA512
a0b68c3f5405de23eff147c1392d20a49733730790b0322b512412ff7b1056d024ddb3606e068833ceddc8d692f41ca75475974d28f257173b35655136f66d41

Download Submit
C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\UPX.exe

Filesize
283KB

MD5
308f709a8f01371a6dd088a793e65a5f

SHA1
a07c073d807ab0119b090821ee29edaae481e530

SHA256
c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35

SHA512
c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

Download Submit
C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\config.ini

Filesize
522B

MD5
0a5baccb60ddf613c9ef2b18e0b1863f

SHA1
39bb75213fab1a7b9ab51089ef54f43086d8b1f3

SHA256
21a222e00ea35f663dc6c397c0a0aa6d80e52187644b170cee9e186892a22f4e

SHA512
b24b4e15fc975f81e5e5216cc098f8a34faeb5f7b3f10fe8f9f4a19157abe62f293b4687440434744e5c5284736a9a472fc5d04f5fda72e94fe5e7140b36de9b

Download Submit
C:\Users\Admin\Downloads\DarkComet-RAT-5.3.1-master\DarkComet-RAT-5.3.1-master\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\config.ini

Filesize
519B

MD5
8862be7830b502941512d8d89747de84

SHA1
f8e02c478a7b279bd7deb30a22f4c15ac5269842

SHA256
a45d7cebe7f8ca99b46659f422523b30c3527e32a7c7afbcaf8357b3825e374a

SHA512
26bf5a26821c43e2020b9889ce06558239f684803466ee2dfa0824e8a228036d9abd2c8af7188ed7ae2914a968ab88b95b38dea0efd79111651e14549a4a7486

Download Submit
C:\Users\Admin\Downloads\RCXE289.tmp

Filesize
3KB

MD5
352120954900ea4d037adb8fe704491a

SHA1
c63c7b83441768c9a2909125754491ec054139de

SHA256
dde5e5682bd892a848c210fc25647d92f9416b2ae2e1af4f453cab758fbbe266

SHA512
c31a63d0b301cde379d7a15f109ff9d47f0224038926fc30b163ffe16eb895fd6e58671a8177b2d9f99d8683b715b40fd45efa08b98eea06918c50e676d5cd83

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 156163.crdownload

Filesize
14.6MB

MD5
abef83a4ead4d18c354f98d7e72312f1

SHA1
21e1ce0fa9013534af2a27c6d8fd0798e1028128

SHA256
86ffdda11652f7e00c5fc21eb9f2e97cad4453b5e467501bb1207d3ebb7781ea

SHA512
9145e554f98f8dc66435bd468b6cc064f1f1ea73aafabbb61ec9ed1cb4d6744f22e01f69ac3ed2fd2a3a0c4bb2a50ef658c1d9564f1eaee1848c7f5392742010

Download Submit
C:\Users\Admin\Downloads\dangeraa.exe

Filesize
755KB

MD5
75d9423ebb5519d5edf6c13be5c060b7

SHA1
10cd06230f65a245dbc261b05e0c511c1fc1eb36

SHA256
939b1034b405cd02ec5ff626d745fe47f5bf286d2241bd2ae2b4125c0411fdfc

SHA512
3e4e9bd4262eec845dbb5ec90349826efc5c27b078b918b71fc8ccd3aa81834b68686b826c141f1e7cf226ed7ac845887592d41c78271c7dcbbbbf4dff5f2c73

Download Submit
C:\Users\Admin\Downloads\dangeraa.exe

Filesize
348KB

MD5
c3e55eaa02ad92e11da481e769baf47c

SHA1
67f747f8dc8e3043cc87e596333f119d44f1e7b1

SHA256
f1df0d122d37ce9368e736a660271c7647f62c4637dfa89cbe9e1db9a6617535

SHA512
122aa442fdb20f18b6fa0d7366cab6257136f749ec6e117d60482d21c815d44780814c255e3b3cb08ba2489acfd560ce0bbe6b5b54a30144f3221478dd0b66d5

Download Submit
\??\pipe\LOCAL\crashpad_2216_KYHLSIMTNAYRIUGS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1564-451-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2068-471-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2068-470-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4884-390-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4884-383-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/5672-446-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5672-447-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5696-362-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-341-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-363-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-364-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-366-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-360-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-359-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-358-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-357-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-356-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-355-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-440-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-514-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-345-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-342-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-335-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-473-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-361-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-452-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-336-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-454-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-456-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-337-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-338-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-464-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5696-468-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/5872-457-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5872-453-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5872-450-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5872-475-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5872-448-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5872-442-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/6000-474-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download