darkcomet | 1736d604d6c8a14948ebe5386727ca3de215e1163904eac094b39769b8faea64

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Size

850KB
MD5

25fef2629b1a28be76522da59a85506f
SHA1

e1c6b2ac497f253cb03aa69505111532b4241a38
SHA256

1736d604d6c8a14948ebe5386727ca3de215e1163904eac094b39769b8faea64
SHA512

8656b9393d45dda010013825238b8254404b89316511b66877f78ad5b61008cb4d50e48e749cb646ada5891299b85dd7342336b4024e034865cfa07d47e08617
SSDEEP

12288:j6qvGvd8EgWCKXtWxWT56LbdJ0Ua0c1xHVkPyjRIBTK+jUOq6fgJg0Ges/5rBY6:hvGvd8HK9hwLbdJp6/kIo7f

Score

10^/10

darkcomet guest16 discovery evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

6.tcp.ngrok.io:10371

Mutex

DC_MUTEX-6TC6YTT

Attributes

gencode
6Wpjj0ueCN6h
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
64	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 4428 set thread context of 4460	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	84

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
4308	msedge.exe
4308	msedge.exe
3932	msedge.exe
3932	msedge.exe
2356	identity_helper.exe
2356	identity_helper.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeIncreaseQuotaPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeSecurityPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeTakeOwnershipPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeLoadDriverPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeSystemProfilePrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeSystemtimePrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeProfSingleProcessPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeIncBasePriorityPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeCreatePagefilePrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeBackupPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeRestorePrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeShutdownPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeDebugPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeSystemEnvironmentPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeChangeNotifyPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeRemoteShutdownPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeUndockPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeManageVolumePrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeImpersonatePrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: SeCreateGlobalPrivilege	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: 33	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: 34	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: 35	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
Token: 36	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 2864 wrote to memory of 4428	2864	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	82
PID 4428 wrote to memory of 1032	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	83
PID 4428 wrote to memory of 1032	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	83
PID 4428 wrote to memory of 1032	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	83
PID 4428 wrote to memory of 4460	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	84
PID 4428 wrote to memory of 4460	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	84
PID 4428 wrote to memory of 4460	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	84
PID 4428 wrote to memory of 4460	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	84
PID 4428 wrote to memory of 4460	4428	JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe	84
PID 1032 wrote to memory of 64	1032	cmd.exe	86
PID 1032 wrote to memory of 64	1032	cmd.exe	86
PID 1032 wrote to memory of 64	1032	cmd.exe	86
PID 4460 wrote to memory of 3932	4460	iexplore.exe	91
PID 4460 wrote to memory of 3932	4460	iexplore.exe	91
PID 3932 wrote to memory of 1668	3932	msedge.exe	92
PID 3932 wrote to memory of 1668	3932	msedge.exe	92
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93
PID 3932 wrote to memory of 1404	3932	msedge.exe	93

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
64	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25fef2629b1a28be76522da59a85506f.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:64
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef74146f8,0x7ffef7414708,0x7ffef7414718
        5⤵
        
        PID:1668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
        5⤵
        
        PID:1404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
        5⤵
        
        PID:4500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:1040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:3776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
        5⤵
        
        PID:1616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
        5⤵
        
        PID:1796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
        5⤵
        
        PID:5084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
        5⤵
        
        PID:4392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
        5⤵
        
        PID:4352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
        5⤵
        
        PID:2232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
        5⤵
        
        PID:4892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
        5⤵
        
        PID:4364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13678799169061367176,7929106099576655873,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
      4⤵
      PID:5112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef74146f8,0x7ffef7414708,0x7ffef7414718
        5⤵
        
        PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
66341c1f3a5b29b7c217ca8a8f88e242

SHA1
0a15b2bb53fadcee01eed84216fc8c9a41b5920e

SHA256
0484dee08b671051d6669d2b0351ae41801e9be5a4c6149553717e304a791372

SHA512
781da683a39eb037cff3b5744ef7d460b3549488345a7b493c905026541187ad0f1c40b2ef68d2289651885840f2c8209bcea49d7c7aa9623f8ef3d177f35560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85f82737a0cb32b1474c9dfe71a5382b

SHA1
2720d9416fc6804b7a52e920124ba4fc19eab3a1

SHA256
931510bb40bab37bf0cd670ee929e7c8d0bc52f97df2c9364a721c7e929dee2b

SHA512
5e8562bd641fdfd6922e3383973f5259ce7186da7a22f54a1a4a2f6e29dd039de678e652975b8e08424ecb2c13e76a87f75dd0d2edcb3c31bcf64a2462ffb11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2e257e44042f73628b6d9e9e6fb80f2

SHA1
5668671bd6b70c00f6e82e9fb2daadfb51ab86cc

SHA256
827fef1073018faca65a887680b16c43a12f7c40101e64d58a304896354cdc5a

SHA512
8bf3b0c4ca045a15e1ab0dc6b61dbf50cdcbd352869833d8aa2f6d6195192cd217f5b836b85b66ca1ea5b6caff052b66bf50ab0e0c844c253dd0f45f21031f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
845476799190f728aa52ad829bba1482

SHA1
04c99c73be9880c6732816fc1f0511b9220270e4

SHA256
ce8c8c0f6941bc44d196eba1ae45d68125b23ab887702ac850e7697711c04d6a

SHA512
8c95f3dcbd5d065ce9996a29c6db4469b451ddf6e45c7b1bc4bbd5898a46e52daf0bc7540c07d1c4fbf146c3e2d870c93c7da65fe6b294435c5ede500eca8ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
36775bddc2c29cc7621f73d9adb01be5

SHA1
e9e09d68f0898ada390e07a30e78518b16f01def

SHA256
7376f3cca34e9a21931535372ee4f68e286596b9025e4991e4d3694576059472

SHA512
9130990ad79edacafaabdf32d1eb8e3da16146f1e4bda52ce7e144f8d2c8c716b5f0c5ad5baf76fb20aa7f8dec26e986dbd7167371b7029320eaf5adf6c3cdf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e128.TMP

Filesize
371B

MD5
6d4894b3f6e2d7d2bdf6150a149e9141

SHA1
6d726826792fa52a64a537fe8b66fab03b964b69

SHA256
b9b9ede3acb840cf693b949be53b14eddf32a30941b3582fafbe739dd1407f07

SHA512
3dc5d5a4bac6ea115932f3af539f016ea10de1d343c9300851ddb98aa6e88f0d585445154d8f3a04aa1f9bb2fa9506ff44614bff2b79681e8951075ff7f2ffc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70bd375b4a3b57ba423786ec40e08a55

SHA1
db8d8be33866fdf06964eaf5cc1faa7dc7ce33da

SHA256
b1271f1ca9bdf9f6238dfe9e47e13756e101e349ffdd39ab163bd05eda5fa122

SHA512
ddbeecc806f2e8882da19d7f7879a54a3799d7dc4f683b23940fc5f82816ace67a05ca5048cbfe064f5e1c195641eaa756d89d2425ce559d95ff1609da9943cc

Download Submit
memory/2864-6-0x000000000A8B0000-0x000000000A8BA000-memory.dmp

Filesize
40KB

Download
memory/2864-4-0x000000000A940000-0x000000000A9D2000-memory.dmp

Filesize
584KB

Download
memory/2864-1-0x00000000006D0000-0x00000000007AC000-memory.dmp

Filesize
880KB

Download
memory/2864-2-0x0000000002D10000-0x0000000002D16000-memory.dmp

Filesize
24KB

Download
memory/2864-11-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/2864-3-0x000000000AF40000-0x000000000B4E4000-memory.dmp

Filesize
5.6MB

Download
memory/2864-5-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/2864-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4428-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4428-8-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4428-15-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4428-12-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4428-10-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4428-13-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download