darkcomet | hxxps://github[.]com/MalwareStudio/FunnyFile

Analysis

max time kernel
299s
max time network
206s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-11-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/MalwareStudio/FunnyFile

Score

10^/10

darkcomet defense_evasion discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

winupdate.exeBlackkomet.exewinupdate.exewinupdate.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 8 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
2304	attrib.exe
1824	attrib.exe
2160	attrib.exe
1516	attrib.exe
4792	attrib.exe
408	attrib.exe
1424	attrib.exe
1260	attrib.exe

Executes dropped EXE 4 IoCs

Processes:

Blackkomet.exewinupdate.exewinupdate.exewinupdate.exe

pid	Process
692	Blackkomet.exe
4564	winupdate.exe
3388	winupdate.exe
4928	winupdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winupdate.exeBlackkomet.exewinupdate.exewinupdate.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in System32 directory 20 IoCs

Processes:

winupdate.exeattrib.exewinupdate.exeattrib.exeBlackkomet.exeattrib.exeattrib.exeattrib.exewinupdate.exeattrib.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exewinupdate.exeattrib.exeattrib.exeattrib.exewinupdate.exeattrib.exeattrib.exeattrib.exewinupdate.exeattrib.exeBlackkomet.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 16 IoCs

Processes:

msedge.exeBlackkomet.exewinupdate.exeOpenWith.exewinupdate.exewinupdate.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FunnyFile-main.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotScaryFile.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotScaryFile (1).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 284641.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exetaskmgr.exe

pid	Process
4004	msedge.exe
4004	msedge.exe
2764	msedge.exe
2764	msedge.exe
2444	msedge.exe
2444	msedge.exe
4124	identity_helper.exe
4124	identity_helper.exe
4720	msedge.exe
4720	msedge.exe
2072	msedge.exe
2072	msedge.exe
1168	msedge.exe
1168	msedge.exe
1996	msedge.exe
1996	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
2108	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	Process
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Blackkomet.exewinupdate.exewinupdate.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	692	Blackkomet.exe
Token: SeSecurityPrivilege	692	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	692	Blackkomet.exe
Token: SeLoadDriverPrivilege	692	Blackkomet.exe
Token: SeSystemProfilePrivilege	692	Blackkomet.exe
Token: SeSystemtimePrivilege	692	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	692	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	692	Blackkomet.exe
Token: SeCreatePagefilePrivilege	692	Blackkomet.exe
Token: SeBackupPrivilege	692	Blackkomet.exe
Token: SeRestorePrivilege	692	Blackkomet.exe
Token: SeShutdownPrivilege	692	Blackkomet.exe
Token: SeDebugPrivilege	692	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	692	Blackkomet.exe
Token: SeChangeNotifyPrivilege	692	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	692	Blackkomet.exe
Token: SeUndockPrivilege	692	Blackkomet.exe
Token: SeManageVolumePrivilege	692	Blackkomet.exe
Token: SeImpersonatePrivilege	692	Blackkomet.exe
Token: SeCreateGlobalPrivilege	692	Blackkomet.exe
Token: 33	692	Blackkomet.exe
Token: 34	692	Blackkomet.exe
Token: 35	692	Blackkomet.exe
Token: 36	692	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	4564	winupdate.exe
Token: SeSecurityPrivilege	4564	winupdate.exe
Token: SeTakeOwnershipPrivilege	4564	winupdate.exe
Token: SeLoadDriverPrivilege	4564	winupdate.exe
Token: SeSystemProfilePrivilege	4564	winupdate.exe
Token: SeSystemtimePrivilege	4564	winupdate.exe
Token: SeProfSingleProcessPrivilege	4564	winupdate.exe
Token: SeIncBasePriorityPrivilege	4564	winupdate.exe
Token: SeCreatePagefilePrivilege	4564	winupdate.exe
Token: SeBackupPrivilege	4564	winupdate.exe
Token: SeRestorePrivilege	4564	winupdate.exe
Token: SeShutdownPrivilege	4564	winupdate.exe
Token: SeDebugPrivilege	4564	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4564	winupdate.exe
Token: SeChangeNotifyPrivilege	4564	winupdate.exe
Token: SeRemoteShutdownPrivilege	4564	winupdate.exe
Token: SeUndockPrivilege	4564	winupdate.exe
Token: SeManageVolumePrivilege	4564	winupdate.exe
Token: SeImpersonatePrivilege	4564	winupdate.exe
Token: SeCreateGlobalPrivilege	4564	winupdate.exe
Token: 33	4564	winupdate.exe
Token: 34	4564	winupdate.exe
Token: 35	4564	winupdate.exe
Token: 36	4564	winupdate.exe
Token: SeIncreaseQuotaPrivilege	3388	winupdate.exe
Token: SeSecurityPrivilege	3388	winupdate.exe
Token: SeTakeOwnershipPrivilege	3388	winupdate.exe
Token: SeLoadDriverPrivilege	3388	winupdate.exe
Token: SeSystemProfilePrivilege	3388	winupdate.exe
Token: SeSystemtimePrivilege	3388	winupdate.exe
Token: SeProfSingleProcessPrivilege	3388	winupdate.exe
Token: SeIncBasePriorityPrivilege	3388	winupdate.exe
Token: SeCreatePagefilePrivilege	3388	winupdate.exe
Token: SeBackupPrivilege	3388	winupdate.exe
Token: SeRestorePrivilege	3388	winupdate.exe
Token: SeShutdownPrivilege	3388	winupdate.exe
Token: SeDebugPrivilege	3388	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3388	winupdate.exe
Token: SeChangeNotifyPrivilege	3388	winupdate.exe
Token: SeRemoteShutdownPrivilege	3388	winupdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	Process
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe
2108	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid	Process
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe
2640	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2764 wrote to memory of 1084	2764	msedge.exe	77
PID 2764 wrote to memory of 1084	2764	msedge.exe	77
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 2828	2764	msedge.exe	78
PID 2764 wrote to memory of 4004	2764	msedge.exe	79
PID 2764 wrote to memory of 4004	2764	msedge.exe	79
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80
PID 2764 wrote to memory of 2880	2764	msedge.exe	80

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
2304	attrib.exe
1824	attrib.exe
2160	attrib.exe
1516	attrib.exe
4792	attrib.exe
408	attrib.exe
1424	attrib.exe
1260	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/MalwareStudio/FunnyFile
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff91ad43cb8,0x7ff91ad43cc8,0x7ff91ad43cd8
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,4196747924380291531,2704386881592660402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
  2⤵
  PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
1⤵
PID:2816

C:\Users\Admin\Downloads\Blackkomet.exe
"C:\Users\Admin\Downloads\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:692
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:408
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1424
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1260
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2304
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2160
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4928
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1516
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4792

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=winupdate.exe Winupdate"
1⤵
PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91ad43cb8,0x7ff91ad43cc8,0x7ff91ad43cd8
  2⤵
  PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
47KB

MD5
55a93dd8c17e1019c87980a74c65cb1b

SHA1
4b99f1784b2bb2b2cc0e78b88c5d25858ff01c5d

SHA256
4925dd477b8abf082cb81e636f8d2c76f34d7864947114fc9f1db0e68b5a9009

SHA512
f9ade542c593067dbcd13ed94da1ba17a84782575355396db8fd7c28aa70a3120d0c0a22d3ca3d2f0774c1dcb06b9319e243b36001c618c92e0af25cb9c8e46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
25KB

MD5
cd74fa4f0944963c0908611fed565d9b

SHA1
c18033d8679d742e2aab1d6c88c28bd8f8a9e10d

SHA256
e432edfafbd52fcdbd59ef74892aa2e2ab19df6647ae723b368fca529066a804

SHA512
b526216bdbc73a97db41edbec6fdfd09b7b4ae149d415fb5811dde03ad4b1b0247950abd78fef807ae47674ab1b56ff0b971fa5e305b26bc92dc07871313b750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ca5072274cc579f18aefe8229e784157

SHA1
fd4b7c71e82cb642cfd280c7b55246870dfa351a

SHA256
7f7470e000d32d3c6c0252ea6199972be83974b4cf59006343316a54eece7e0b

SHA512
ca7d91e86f7172e4f43916661b0261b144d0037f45d08d7be27f3f3555f8b42890e696b84b04ec890c232a71af8b6c75bd4328ed1652e11cef1ac597de9690d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
01f767455f25859f29376f9f7d524f84

SHA1
12419a201672de70f370729061869d0232d7e15f

SHA256
64b87582f8973fbabc271ff2dd9ee26a661ee6fd9ed4cdb161008deb313fbf7d

SHA512
3c68a16237e21841f7736cbbe7bdb8a25dcdc07c006b6ee656ac321b5cd78d5241846ea066461c4b481db59f7add62213133c9b1d9386f2ce08f834c81c0a59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d8f50be3a3fa125074184b746957f1a1

SHA1
654dda3810a5753873246557f233784f31bbdb45

SHA256
897fab2fdc9f65cb80675a1698887f778e3df7cd44c49ae213768b325c87beed

SHA512
c2ea99cbe31fad9be2a51ec3b3f072701c90ef433b05e2333a698b7a6b6da9f70f7d322ae0d50a3febb9ef2ee0cf789569775393442889d7dc3eb7a9bff97282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1008B

MD5
5aa71075629e14e5ad4819a773abc5ab

SHA1
33b30f73f8e500479aaa0ccd2a2800996c12f6b8

SHA256
bb5f7120cfc13633c1b88a0b702415ffc6f12d9b3a3cc80d4b5d22b70ae80d41

SHA512
dbe44aa6d6baacbc8122c8b974568a247b0763191ad6ef6e1e8a2a84ed0defe9b6f785ea91534cff85e6fe79ed459385e61ef6ddd9e9c9a7708a09d2855191e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1008B

MD5
b4a750bbfd25c390800997c339d9da08

SHA1
ed508105cc02d382a844391ee27e84c774a60583

SHA256
fc82f8c144b5e86c39bac7c95d5f8c5c8af67449e59090a226027cd996e4670a

SHA512
0dec805a81b80441890d2b17260f3510196886632df73d2ea76c1e534e3408e64f6423955ee1a26c7aa9fddf63f462a6fdd3054a2429cb682215221a2ae6479f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
656B

MD5
91e1782e5e4bfee04981b6e10fa450ad

SHA1
d597b3dc67d02ebbcdffeda44ecfc48a3b2406f9

SHA256
1f8a27922263bf7816308b044368d7a8aed6c80ed0430bc7115952f2158f27fc

SHA512
7f8b8bace59a1d6e1a9b853fa825b79b6d7a3a60559b27216b43ef2f17ac59a89454d5ca3bf2d278774ee7b8e9d8261bc258787c8c506a85387cd15588608234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54572f0657c8fcb5361305c888c7ad8d

SHA1
fabd5fc83966a87fb0250a63f959d9e48f0afb51

SHA256
a663055110e4875a04d0ccd7abd53b49804a59568787a805304c49570d048c81

SHA512
ee7b72e5f197441ba783c3f80a0bb8ea1357ad6bf55e1f42595c14521bc223f32730137e338212ac58ab0944bf2767d87509c156b7975908479962e13614e211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a3bd3e1a3910e0f40a63c7a3d125064c

SHA1
161b6d7a7c6bd5cf3bf016de9a928f70f6b3bfd6

SHA256
89563ee91a00d41cd179a77426c6c76740568632077c8b730b2fa6b1f4a7c162

SHA512
ae6bf0794fe42e8274c6ed1239e637538b7d60ce3e8bce30522215631738bd154823671a3cf3df4d8d0e7df0fabd2c926c1901503b059a9845f30f8b365c556d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4fd6d6d0561d502941027e5864dc0a5d

SHA1
ae7d74163f4e0311df5f7b130f7b59063db3bcc1

SHA256
60b37deb9e50f8d70d1b9835318f7d6251d97f50070aac3932af9c98b28a69de

SHA512
11497932d228cad9a0ca1249730fb6710e09e47fbcf8b3e8e697aec1b7832da3b376307aa39fee33ed91e77ae8df16890664b71509e5bb305c0648d74f2e0b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56920bb682abae31387deaea93275a37

SHA1
e82e9032cf301af80d077460d22db8c3e8e4a9cc

SHA256
80813549e08f580045c0f0d67b870c8e880e15796f143968ecade7ee5efdc07e

SHA512
cfc22737b215d9924574b18e9ca151027e458ecffe827b1050a5b7865e6bb0d5a7b5cedc7d3e14634e52f40104902ff93d6c8250fee9a3bc62a39925c965368e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
269da9894fe0025c31721ae77d2059e3

SHA1
2da5074375c8663d2fc1d87342638baacc010d7c

SHA256
06f24a35a7cf1fe775f258f6f72839201436c66c2279061abaad25b6cf86a450

SHA512
7c3dbb2f5a024d99ef244966c902ec6e7d688fad0f8f1f9ac6e9464dcd4a12724d4d7a81f49254e4998a9d9e9ab74593f40a5f79f1107d19547acc2ee5f2cb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
184bc3ea72882a7c93bc0b612ef6b564

SHA1
24cbc5dc5ee40994234723f1c1253f95db4da577

SHA256
b14fbbffba0017eaef34a948f2b0a3aa3462cff5546f60ecfddd812060640da8

SHA512
db8e298c0c9b1c8a39d53c746ad9de20a0003bfb81b8bff81c644534165c84d7ab7eb68e08f3396ab94dd789315f49386f7966cee7ea622bfbe1191b30c7acba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b3890ce62e6fb907dc669e26444c975

SHA1
539dfff3123b1d2bed353717e4f9f1bf6a60ba6d

SHA256
7b9914f268ab654593af70dcc54784d8d6f44ada934442a8037c113f8ffca65e

SHA512
607e0957a5bab5586ae19a49ced120fe093bd3c5a7ce4d2b8c08a2b48c02cc87d356e9727e9dbac16e3842a5727d3bbda555d463e5609010c2ed373e637ed484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4491081b1e213a01d817f13ec8f003e4

SHA1
530a5bae93e0e3e12cd3f1a8f121acc2fc254d2b

SHA256
3c6cbf89173e82faae62cfce91155f018e436efafd90b97d5cce7782cb265a89

SHA512
8f0a562b0a100610fecee1d8e8b1b0245deae5ffcc88dadb95c3596824ab8266470b24456457c79c667b9c223884b600eb81f75f85b948676b9c09c0cd1eda13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
39fccd21c7b0cfc51f4784e2b24d4252

SHA1
4ba65657e24da0dd193b2655329a70b5b8601c02

SHA256
9e4f61b8a9c1e544dbd8d5b0e720985e7ff83e4cb2547f248c0f10ff7f884517

SHA512
9c3dfc1ddd3cd8eb4ea340e51563f240c5d7a8455d05d528bb83b357efc3dc5c265d918772fc02a4b10366b82b7b87b0b0538c6c596143867c7447325b08249e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c370dafa9467cbf0c8182eabf9a54b1f

SHA1
41e9c7d3e38559754ea10257600afdaaceb2be22

SHA256
3c133a6907ebaa2758cbda8282d3c1e7f32957b3d5ded1f99a3018e2ede38770

SHA512
218235a7a58ad2f4db71642fa6e8959c7b2d1a20ec59d75a152dd3a636866b9d5eb357368ac475fefd5e938b2a6f8a00e312e5cf574d4885606806057f9cdd0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
35939dda9a15ad40cb1be067b06fb828

SHA1
b5b09c2086f8a26dac53a462ee5e4bf833fa2569

SHA256
03a103b1bff3089a25b617e5887c7c27f9b1b9d6d26b42f1671a47d916ab623b

SHA512
63ea85681354971180e3ea6141f20f9295c7cdf57a9021f70360ede3bfa82bf7dbbabcd2402ff97480d8eec42d33eb985b92b7e7f9f89b997106b74a20235947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c87b5b6a2872bc72ba360cb9bae70977

SHA1
17fd8518b81a07244c210e0669f6df4013e569b1

SHA256
2dc2da6b6acd5b888218ae44ea455aae1e315a2dc55cd5a303584810a3409eae

SHA512
0c79876c481e8ed0527600bbd8954f3cc5cb075e13b54dff321affc61ddc90b91e80471993607ab36d81f941af1f8e9b954d3b63b1ab98ae6381ceef843dfdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586656.TMP

Filesize
1KB

MD5
a6eb8df0998d867e4f57af61aac257f8

SHA1
7c5a89ce1f4179a407e307e00105363d083fc41c

SHA256
0c2d7b317066e630f2beff2679479125bf85a6372712c3929232c1deda463cfd

SHA512
611dff1c85410dbe58aaf434a5099558f0da32a6c40a4f7b9d3662525fd7fa9d9b47a4964c56d3d3409c9ee24b8abf98927f7bf2da7625324030b0c09ce7255c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9cb39463335d53e7a28ebfdf5d90dedf

SHA1
9c46cb37e6ce692f1a95c363cf62ab10b4e144b0

SHA256
1ba5b65e118c07a27e975d65d5933ca4036261b7c2b5460ee88ea94735a9a5b1

SHA512
6918cb6559871c48b397e4fc8747e37bc5b9940584b3fa8ce8907a9758334589c3c557e9efe6111edba5787dad8341316f7055b025c4635acc3f74bc5dbbcdae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
098effd3ba4bbee865703c8b7b80857f

SHA1
81c5b5fbd19e80cbcec7fe223d62824cef3d8533

SHA256
6d318b02f11aadf8800da96a88cadcbe36ac91d00990ab3f39cb88100d686536

SHA512
ac7351f1542a83029980e7765d0174ab0dad6dec1b0ae26729d301b43edbe0cf9272aa981bbd09281e8a3b3fb897f9196ca525c255535507635c50094b303ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
227a3c8d8736d203acece2c9b0ce3f16

SHA1
3490a1c5fb760a2eba9a2785aa8aa1e98f7bc3fd

SHA256
405830f2b9ece441cd3ff7543233922929165e36ee8c3a745033cdf709739ddd

SHA512
a960dacb8168b63dcd6a0704ddab1dbdc5be728385161801f3198d41ae45bf3f96731f0acc279faa449f570ce294801c993a838a97cb29b401b57d4882f530ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f2f6154da7ea79b62648e594a9d3a773

SHA1
bb5db623b75bf08705d2698fc68674a8e6cdac4d

SHA256
f12391e414075c86e4ebd9767e44f920917e560af16004b2a4b403f9a0679eef

SHA512
d32a1e793c2006ed02d292595a73bc798b6bdfa79339d38e9286bbda75847eed9e51d11c172cb0a772abf6d147d0dd00cbb6fde0644670f6bb1302149ca0c6db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8b946a50c5e5969b00143ed4bd3f43f3

SHA1
2fa3066424498e3df7f9eb1dde9ae1caa27560ca

SHA256
8113fe1599e2c4dfb2abec790eca0a4bea7d36b365f7493d3f084b4ec43310c7

SHA512
214d4ae35b819d3c22d06670020b8441a90a0b0ac2be97ca09ecfa0f37a7c45382dc79cebbfa3d5a8fb2e2211336eaa2bea481ba0ee24c8fcb9d43c84e3a9e65

Download Submit
C:\Users\Admin\Downloads\FunnyFile-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 284641.crdownload

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 693441.crdownload

Filesize
15.0MB

MD5
42b610e943d98a8b4050512c18ea7d66

SHA1
31b4396b9ae18b034f6662374cb7bd7e0e606b39

SHA256
ec1f37d1036972c0ff0b08c37c4f5a0a952ef68d8c1fae7220c1b659b3def3e4

SHA512
bac7777436b4c22ff73766f1447b26f49df7618008f21eb011b99440a31f7f5f19d42fd48235955c5fb7a92bd85b9cae0de3e42200b9a2239bafed241fb2b047

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 938489.crdownload

Filesize
15.0MB

MD5
b8bf0843ebe241b26bed3860c60efc73

SHA1
1aac5609f43d051c6681f3baebca971a8338085d

SHA256
f9b46e6d9b70e52141aaa716168e8209f093a979d52b388db85d9cc34f604997

SHA512
f697109bffa8f9339cd5ab637276203712996cab94d13de0eb160822bf9ddabdf48c5603b67b0718c7571421ea2c39bc78ce5ef875db5d71cf923ace99ddfa4a

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\LOCAL\crashpad_2764_HXBRSKEKLALOTFDI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/692-907-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2108-942-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-952-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-951-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-950-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-949-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-953-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-954-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-948-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-944-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/2108-943-0x00000245E8960000-0x00000245E8961000-memory.dmp

Filesize
4KB

Download
memory/3388-920-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4564-918-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4928-930-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download