darkcomet | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Analysis

max time kernel
246s
max time network
256s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Score

10^/10

darkcomet guest1111 defense_evasion discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1111

193.242.166.48:1605

Mutex

DC_MUTEX-2QRLPN3

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
Rb5l52XcV9no
install
true
offline_keylogger
false
password
313131
persistence
true
reg_key
winupdater

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 8 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5580	attrib.exe
3480	attrib.exe
5940	attrib.exe
3464	attrib.exe
5852	attrib.exe
4860	attrib.exe
3920	attrib.exe
4440	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
3436	winupdate.exe
5252	winupdate.exe
2696	winupdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\O:	000.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Control Panel\Desktop\Wallpaper	000.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-sl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-sq.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-und-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\Filtering Rules-CA	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-fr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-hy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\Part-IT	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_2119289531\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_468331932\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-cy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-tk.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-es.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-eu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-nb.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-pt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-sk.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-de-ch-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-uk.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\adblock_snippet.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\manifest.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1733201485\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-lv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-sv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-ta.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\Filtering Rules-AA	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-da.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-de-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-ml.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-nn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\Part-ZH	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_2119289531\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1733201485\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-de-1996.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-et.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-gl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-te.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-la.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-lt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\Part-ES	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_2119289531\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-bg.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-it.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-or.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_2119289531\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-hi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-mn-cyrl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-ru.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\Part-RU	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_2119289531\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_468331932\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_468331932\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-gu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-kn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-mr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\Part-FR	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1733201485\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-be.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-en-gb.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
4368	taskkill.exe
5560	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133868791097011967"	msedge.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{5A11C7C0-9E53-4B48-918E-915EDFACFCC4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{013AF8E4-F6E3-410B-9533-DEDEF63B9385}	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	msedge.exe
2996	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	836	Blackkomet.exe
Token: SeSecurityPrivilege	836	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	836	Blackkomet.exe
Token: SeLoadDriverPrivilege	836	Blackkomet.exe
Token: SeSystemProfilePrivilege	836	Blackkomet.exe
Token: SeSystemtimePrivilege	836	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	836	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	836	Blackkomet.exe
Token: SeCreatePagefilePrivilege	836	Blackkomet.exe
Token: SeBackupPrivilege	836	Blackkomet.exe
Token: SeRestorePrivilege	836	Blackkomet.exe
Token: SeShutdownPrivilege	836	Blackkomet.exe
Token: SeDebugPrivilege	836	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	836	Blackkomet.exe
Token: SeChangeNotifyPrivilege	836	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	836	Blackkomet.exe
Token: SeUndockPrivilege	836	Blackkomet.exe
Token: SeManageVolumePrivilege	836	Blackkomet.exe
Token: SeImpersonatePrivilege	836	Blackkomet.exe
Token: SeCreateGlobalPrivilege	836	Blackkomet.exe
Token: 33	836	Blackkomet.exe
Token: 34	836	Blackkomet.exe
Token: 35	836	Blackkomet.exe
Token: 36	836	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	3436	winupdate.exe
Token: SeSecurityPrivilege	3436	winupdate.exe
Token: SeTakeOwnershipPrivilege	3436	winupdate.exe
Token: SeLoadDriverPrivilege	3436	winupdate.exe
Token: SeSystemProfilePrivilege	3436	winupdate.exe
Token: SeSystemtimePrivilege	3436	winupdate.exe
Token: SeProfSingleProcessPrivilege	3436	winupdate.exe
Token: SeIncBasePriorityPrivilege	3436	winupdate.exe
Token: SeCreatePagefilePrivilege	3436	winupdate.exe
Token: SeBackupPrivilege	3436	winupdate.exe
Token: SeRestorePrivilege	3436	winupdate.exe
Token: SeShutdownPrivilege	3436	winupdate.exe
Token: SeDebugPrivilege	3436	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3436	winupdate.exe
Token: SeChangeNotifyPrivilege	3436	winupdate.exe
Token: SeRemoteShutdownPrivilege	3436	winupdate.exe
Token: SeUndockPrivilege	3436	winupdate.exe
Token: SeManageVolumePrivilege	3436	winupdate.exe
Token: SeImpersonatePrivilege	3436	winupdate.exe
Token: SeCreateGlobalPrivilege	3436	winupdate.exe
Token: 33	3436	winupdate.exe
Token: 34	3436	winupdate.exe
Token: 35	3436	winupdate.exe
Token: 36	3436	winupdate.exe
Token: SeIncreaseQuotaPrivilege	5252	winupdate.exe
Token: SeSecurityPrivilege	5252	winupdate.exe
Token: SeTakeOwnershipPrivilege	5252	winupdate.exe
Token: SeLoadDriverPrivilege	5252	winupdate.exe
Token: SeSystemProfilePrivilege	5252	winupdate.exe
Token: SeSystemtimePrivilege	5252	winupdate.exe
Token: SeProfSingleProcessPrivilege	5252	winupdate.exe
Token: SeIncBasePriorityPrivilege	5252	winupdate.exe
Token: SeCreatePagefilePrivilege	5252	winupdate.exe
Token: SeBackupPrivilege	5252	winupdate.exe
Token: SeRestorePrivilege	5252	winupdate.exe
Token: SeShutdownPrivilege	5252	winupdate.exe
Token: SeDebugPrivilege	5252	winupdate.exe
Token: SeSystemEnvironmentPrivilege	5252	winupdate.exe
Token: SeChangeNotifyPrivilege	5252	winupdate.exe
Token: SeRemoteShutdownPrivilege	5252	winupdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3592	000.exe
3592	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 3356	2684	msedge.exe	82
PID 2684 wrote to memory of 3356	2684	msedge.exe	82
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 3628	2684	msedge.exe	84
PID 2684 wrote to memory of 3628	2684	msedge.exe	84
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 5092	2684	msedge.exe	83
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86
PID 2684 wrote to memory of 4472	2684	msedge.exe	86

Views/modifies file attributes 1 TTPs 8 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3464	attrib.exe
5852	attrib.exe
4860	attrib.exe
3920	attrib.exe
4440	attrib.exe
5580	attrib.exe
3480	attrib.exe
5940	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ffae6a4f208,0x7ffae6a4f214,0x7ffae6a4f220
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1840,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:11
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2412,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=3204 /prefetch:13
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3432,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5104,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:14
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5040,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:14
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5360,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5444,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:14
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5444,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:14
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5672,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:14
  2⤵
  PID:5680
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1132
    3⤵
    PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:14
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5484,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:14
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:14
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:14
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6120,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5180,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:14
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3508,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:14
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=5796,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5400,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:14
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6760,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=2800 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6176,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6620,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5024,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:14
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6224,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:14
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4684,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:14
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:14
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3492,i,9118954797091175054,9985623166177633359,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:14
  2⤵
  PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1008

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:948

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:836
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3920
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4440
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5580
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3480
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5252
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3464
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2696
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4860
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5852

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1200

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3440
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5560
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5988
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:2148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ec855 /state1:0x41c64e6d
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
623d0eb0c4a36135a270354557aae018

SHA1
864d2599207960d2aedba50ada4a3b1b2a5a8b87

SHA256
52b485675b621aa85ff48f5cef95a29f845616b63d9a683bb7503f324cee3d03

SHA512
685e69631c295fee7ddb6bedccb9ddab7ac0fd5d5476f5236ee22d7b8af871f9705be8f30ec71b0bfdeabc69927be677942bf8bfcfbdb7ed1151e7dfe80105ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
64cd6dee2ca19e6a806259dfac9cc6d1

SHA1
8a7629aa4a9efecf475bfdc82ffb3ead310fa0df

SHA256
88f512fc7c6ae0499fea7365067109a9adf5f24188c2330703a04a7123d5fc1c

SHA512
b7c7246f6b615691d095736daf630a31a4851d58f26b893343c8a5c958e73f0d88a213a370396ab3e40e9cb521290a932660407af74a20459ed8f63fd65094c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7f178e072a3d30419a95b52ae893188a

SHA1
1f214b4abd456a2728158e5f42fb5108beca521b

SHA256
0bc445976345388e15cfd9f64648b174bc2bf20192578d2478309584fd33f7cb

SHA512
f3d9a03c649b867ceb2fb1d470266c1bfadfd9a0e9faed085bcec7e02e046f6cd1ba8947e12e9e3978aecf9a21df94bb10a1de2936fefbc8a6a0464ccfdc4e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
b3dd2a60fbbecfe16d7cfc0b1b5c694a

SHA1
e93c2edc05d7b3065fd2ce511dfdd21398a197e7

SHA256
c101dba9a77d6d1146d089ca0796e1a56fc707edeb43c4fec237f59d778d4b73

SHA512
d1ce89fd59ec1d3939e716db50767adbedf5c9101db8e114dd36b40d3b86fbba768565a377e6c7f46ce2f739056a93142511cc870df5459ea9370e54bc31b7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57fe55.TMP

Filesize
3KB

MD5
ab818e74371967518b89383535a97a4d

SHA1
a00eece5c44b9c40d30fda4da31579892ca28533

SHA256
219546c35e5fd632285d65fbbcdacb525c2fe4c4f7b79c798b9d59ac71687d51

SHA512
fda9163679c0bad005c5ec324505d7885590fad3252d22a713c0347c2f07fb5756cc9515c7abee6486774d66c6be80273531f9e96523e838f785b4d505b23253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cb3650cacb5c56f1b65f97da34c40a04

SHA1
0451adb2f17ecb0ab48dee7bec702fecdfcb2c5c

SHA256
fd2d563236229ad7552dcc07e29c163ad5651b2a0dd0d881e4b22dcb489713bb

SHA512
ee32a4b306d0f1645e2e394caf1b18528f22db4fd8a94382d78049222b25c413032a18c9c2095f75848df8b65ef9d2ecfcfca36b2656e28b0741149005b80728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cf40e35cc2d0c1e17d612dbed8ec4a64

SHA1
443e1d2bc1f04b9d20635b60ae23d96d089c0c08

SHA256
4f592e734217fea30532cb6ebfdd871c5a82ee103eb4250d03e777b7b702642b

SHA512
c58aae813901ab82e2f07c526abf4c9de394d0ecc72567c6721153202be257df955ed236a15b3846dc0760e1741fc9f25ad1a485948bc878e5f91992186625fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
14e3ec4e07069602e72a105f6090b6f9

SHA1
09c9ff5848e363b993a7c92cb0709551cd04e067

SHA256
8cf82dcd92fd0d4887de08a71be49ef06da46773253034a4a1d30ff573c06540

SHA512
b3a34e22077d98581c7e62d9dd95b2bb9c21439d7eb2a16106872b2d5d86ae38498d6e0d4550e480f1d2692bdd6ca81c5a5f24efb5e4c183cd6073c4c536f71e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
9532655e7e484c5f8310376bd2efe380

SHA1
f54de70c10a3e27583df14e22115f2a4472913e9

SHA256
c09657d2eb5d416cfce631fa892de96fc8d3f18d8457fac3218618dd623d2274

SHA512
94e9775d8ec02cb8c29aafc101a0d59ccdbd76759b312b51997e7b62c7c02d4af26c910d1d54b5940603044df687b069fc78ddf28d8b534a1da2ad2c36a00809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
5b0805cbac4430b1d9bb4beadeaf26d4

SHA1
e18bfb65d8805edf82ddd2c431151ee9f78c7235

SHA256
32701d998f29b2ab3025fc77cc33ed075a9a0de44cbf3e7e6880e2a8d53d7ec2

SHA512
e752d651778dfbf01facdcb72583f01bc10d70c90271895649616a107db9501b5e930308fb3db5e196fd51f80b821e4dcf3af02bb75a87e6696a63a7b9f23b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
99c2e8a1f6f4cd6839e25f03e28be929

SHA1
93d704fcf9e0ae7e9da84d87668cffc57531d5ad

SHA256
a4904d12b9d3e1ad9243a75b009ad9e5b8728787a611b67a7385426c126ae313

SHA512
fe2d5abdc122016f32a2222620bbb9ade00aa9f828b2c50f088b99c9cb6a246d57172e0dcb8965083d738cbc26614f86eee62a45d13022c278d45b835758714e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
1a0736629602e500098ade6cb7b13e8d

SHA1
b7c5623b2d4f12a72ae01316439d819b150c093e

SHA256
3258cd2cc2caf01fa22214ec783a6f0517c31f00a3093fde91b7bc7b39460fb9

SHA512
99b883ab18a2b6f4a293d0e5933308b30ab134e6dd2264ee8224386e23a4f92db1d1ca4ea9ab36aa5bfe125e750d9213bf10848298842d70de6ceb801edac65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
bf0de3e60cdf53d0ddd6963336606932

SHA1
e79420681197814e3da84b63c535879cae33d7da

SHA256
62cedc41cd6d7a927effc6f3b7858d8ac7f504bf6824a97817a93dbd4a5f2a4b

SHA512
fadc0dbd1af02a8a7552c539b57efe760550689bd0fb688a1dae865d8d99790bdac873c7941a563b03fa2629b3dc10ce4b3a6a2245b63e78ee7d687928bbda56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
18KB

MD5
f66fb6debf2041cdc32e815331719d36

SHA1
a9d9eb860422bb08871e9b0880cac969994ae359

SHA256
b20b433a46d4429f33394c2ce74fde52a6f9a97e4e5dc7f33cf203365455d0bb

SHA512
17aa7ed6fcb086124afcfc706c6ec05b0376db4b4760f06de7d9f96bbfc97e897a5b8bdcf88cde30177b0c34140bf600b815866ba9f76465ae9a068832f920e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
baf9e269fc438f5f68cd769fa62ba5b8

SHA1
8259186a9a855d77e5cdc69c2f0ee56d92f3c682

SHA256
616fa34f3369ab174fc56ca6bc39ccfef1f3360e48f42b64c94f8ebffa12c6c4

SHA512
f86ca7b7c9633e7bfe71448437a7d8c3928457b78f5e517eca7c363fe4ef00fb9b76811b01ee82fb1f5fb3decc67cf8ba71772f826e917e5db11039e192ca299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
af905a42f7744c265c403536311c6dff

SHA1
8405fa530033c586928fbf37c1c74f63add2ae92

SHA256
fcc2334f509549c6440743a9a6f6d04f6d022ecccbd60fd56839bd8959301572

SHA512
51aafb4ba010a79d616e4f6d199ca7b5d4dbc3f10e47464322b5e2878ba1e9ebc50d1ab7626f3c31a320f7723de8bbcef1d5cb0cb8070bd5417578a607bb4777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
f8f11982b638853832b802065dd1686f

SHA1
8593815f6213e797e4cd97007d34b5d15b282cb8

SHA256
7e185c74f60565e2a3dc178570e301be7f24b0163ffb0b148f33a39103d78164

SHA512
e629b61d289337b5a9c77b47a177e843f3465cb4748a2b818132fd07b5eefc880fc979113f11f376f9e74f03b8d5d54cf10b0d642a4776a38d826b63d464a356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
733777b9a30ce0ea97df75bbc83577b5

SHA1
15025410030a00e458f7e998521c64de190a0a7f

SHA256
0d8f9773ce8ac6bd308c81dfddfde6ec8389d4e40b44f9566f8aa8ab01741e60

SHA512
03c520c576b752a5d8528c917f168b5333d4247384507b954d48465cd737b2b656be821988e95900ebcbbeb1e3da26b253591c08ac3afef792651a31caf6bebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
3228b908b08317e47d4f8f2ac3f41d77

SHA1
1190b5fd0eed11ec6cc382f886ab8b972e82d522

SHA256
a16ac5ee670bdf65845f1d0c487d6b230ec332940873cd5b3ef7a169ec2e1f5e

SHA512
c6f3b9c94ca45b27d699f53e0b77f24210be8700ee1cf278ab9dcf90a78eac9d9f321ef19794cf2e9d8f59c38e7982a2beb6bd3ebbfa82a05024d82eed0d8125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
b5e405f940b5bcc70ee8288869633b60

SHA1
7d08bcdcf1c72e9a54ce972bee20e5443941439e

SHA256
f7f72db8446b7bc1303cd6bd5a79ae85b4d2d03f2f879c4130cee39a3abe40a9

SHA512
b09f68d3eeb950cb3a276ece2106c1396f3193a2d3aa6673368ac1c4c7bb76f1afcbaf5a76b0488d93ba836abf2f3eb3c2e44e1207ebd32222de420d72960d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
d1d46198e89ba521b1bbf6793d5a5d24

SHA1
9540a27740ed9e5412e00d23d958fb7a45aa259d

SHA256
541e49960bdd5084ed18286ee4a7a337074914bd87830177d339f87119b58e83

SHA512
aaa92203b43f36dfd7b1d3ec20787f81f7bcfd5d1bef67e526ebdeabedab25b46fac730fb2a07576987b25c9e4cd9ede19cec1627f30f954ddfb67daf2e2a4fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
66d2b161bfd5ad23492b4c4e59dbc2e0

SHA1
9cf9911f414a2a95359856187c9b6f5a28c5bbec

SHA256
8fc1f98b85fda1778eb354e07987d1c3be744df003f89651a742ede912ff672a

SHA512
cf2b9efe15ddceab98999d050de0fbd8e37d30c4715e597f0dd6508c3e822a80631f1fa98bdfa6fa25e03bfa953ff0a82e1bf090ff8695bde4e43bd0719d6ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe589b51.TMP

Filesize
392B

MD5
512ccd63935adde85801140514a6c0b3

SHA1
049c6a790a17d81c7a3829a47692e7d3ca3c11f3

SHA256
c76b9be1fb7e1a17e57d368bc1f5a4d503943cec0680e9ed9911554380579fbe

SHA512
d8b9b0c2310b93714563dd308eb51f53cf1591b354047d861e53353999d36803ac5675a91beb76c8caef685259493e2477bf64eb45494d8bd6b5e34edde7dea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.19.1\typosquatting_list.pb

Filesize
638KB

MD5
ca87451145b7744bee71724af1feca21

SHA1
3d99f1ad97326e49ef04904db63c312bd8c64612

SHA256
d03de614aecf8590e013746de46b715605b72445a14702edbda12b5ce2db3df3

SHA512
ef4a47b30b6b03bc73e4c876111af6d08f741998308bde635427d466d4800f8764ea94462f4bd9f13d21c9eff12cc3c2b8ac13433a8cef3f7aa5bc8395c4285f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
c5145dd842225bb18747c2e96b189492

SHA1
afbbf0bb3fd463f2e8336a227a75625f358b4f41

SHA256
bbdc3f69136848708d74f89cd1b104ac7584c3bdb7465316b8170f89a2872421

SHA512
90c762263f341701f909aefa55f9c5878cf59c9cc5f8dc430235b01cf3a3893038a6953f9346a530f84a9e996fb12b167b7b6a87b6961482e8ee03e3d20ee863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\BackupMerge.docx.WINDOWS

Filesize
17KB

MD5
b6513546a8d766c98e198b72288da2e8

SHA1
4c34ce462d68b72398dd57a00d9d4c18fc336f42

SHA256
ef72a28e3cb8519fcff277d24bfd3aebafdd8da0c0121d79f4055b9c966a2e4d

SHA512
7f98ebbbf6d3daa71eba3e1025be79d078887afd3a4903d77dcf79b5a8540adc9a31629169a589ad803073124d387ade6b7496ebe4f1e352add718fd8fae338d

Download Submit
C:\Users\Admin\Desktop\CopyImport.php.WINDOWS

Filesize
633KB

MD5
4a348aa41d54aba39b2dfb6270a120b7

SHA1
34b3cbd873081efa3f066f6ec0c4f295f6a9b6d2

SHA256
6b780be16de4d4b987da2ca07b38c106bd32b1347aa6709f17ca7cb60b7c7ef9

SHA512
abbcfcc0489ba33bceff5d851e1aa621f668a1d10c03942210cbdd8daaa9fcd398541fe2291c961e2f43816274726a132e6e3406b1009f31efadfe4e549aaa11

Download Submit
C:\Users\Admin\Desktop\GrantWait.docx.WINDOWS

Filesize
13KB

MD5
c9e901b1309bd45ad8b2a2b1f12de38a

SHA1
1b29a31b5a30ce2a170e0cf98e825dda95b99789

SHA256
ec001323b19aa80dab2421dc16d761f2820749c3bebc6d852154f389d9ec01c0

SHA512
e46bef99992a23ad9c9ac2ae62c0454b149ec856db0c04116d422e1dc5a6f70a50d5c611c17f083189f4e2789d1f4aff36eda0a6c85681ee8d0eb014dc05e116

Download Submit
C:\Users\Admin\Desktop\InvokeUse.xlsx.WINDOWS

Filesize
10KB

MD5
7c02f3c4305eaff93677a81e6d7453cd

SHA1
f3d6d878792265b1a2496d366068388c1f15785f

SHA256
570099fd744d698ae417443b2561bc684eaad06158246b4d30449cbf14fbc32e

SHA512
52d133d10b127a885ca613046c50072227c4ffcdbbef5475af76bdb14bd5d37cbd6b62c1dbf20d32d24b51629a54357923d44305ad1e672696960f3044df4a46

Download Submit
C:\Users\Admin\Desktop\READ_IT.txt

Filesize
108B

MD5
d845190db42d07b1f4a34292d8f335c7

SHA1
fa97f5c6d4aa832a0a1451730e8ba2a32b2f9339

SHA256
6bd70f8e5afcaf2bac76a5e40649be7ad4d59fb10d37e4f18ed3b1027b714b9a

SHA512
9d9310f6885084665a54cba5c33ce55d2de89978b82d59c70746f1e9ca2abdd094713e562f802f5e723654824ab872b9ab453cb32e279b5960edc196f683a08c

Download Submit
C:\Users\Admin\Desktop\ReadResume.xlsx.WINDOWS

Filesize
12KB

MD5
1e6aa1174d79871a4536b70403d6b1a7

SHA1
d924378b67338930425debc9ff0136a228583d93

SHA256
6b1b0b274ab4d4ae2c3d2201177c914fe3dd3a764ec0043ac5783d8c57e52bbf

SHA512
7711f6002a2d112fec65296112cec5344152b9c4e41f1a617ca9ea749dc10fa11c39112632cddede51a221ed96799952d83a93fa0994477aa5340d116248b5e0

Download Submit
C:\Users\Admin\Desktop\SendTest.html.WINDOWS

Filesize
516KB

MD5
73235571374014dde48f2bbef6516121

SHA1
f5b61cc6f9e6c8e33ea08663b853e7d5ddffccbd

SHA256
a18da7780016165b801d33d9bd080403c97db86329be042479172e3675575d71

SHA512
aeec1ca1a66c0887e539bcddcb1cd417ff84ce59f8641373aa94b8b62b98957dfbf6ab4b156f5a054927c2263425188c8698289aa68dfde80b03025cf5bee499

Download Submit
C:\Users\Admin\Desktop\StepHide.docx.WINDOWS

Filesize
14KB

MD5
c6cbd70acf19a4c6b93a43340545dc1d

SHA1
0a013c6b4ae05f33f554840da69effbadb90d714

SHA256
a9f1e3d54906ed487b42a30e71064ea213f6671a6302271ffbdbeaef4926c5c1

SHA512
4ca3dc8395d0c792ca690fd2b5f5fbd89813b3362ebb1ea57d6d85a49d7d8ba8f8d58ee0ba4269ce144ccf37e53eacfed01f32c14e53819f7538998d8899c16f

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier

Filesize
92B

MD5
c6c7806bab4e3c932bb5acb3280b793e

SHA1
a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

SHA256
5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

SHA512
c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1184480151\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1733201485\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_1733201485\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_310963164\manifest.json

Filesize
116B

MD5
2188c7ec4e86e29013803d6b85b0d5bb

SHA1
5a9b4a91c63e0013f661dfc472edb01385d0e3ce

SHA256
ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62

SHA512
37c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2684_468331932\manifest.json

Filesize
118B

MD5
1c86577f2cd4d32c2a66df8ea2688d85

SHA1
35a17132f6e9fa4cf9f7cfb307870eef46b697f7

SHA256
312e962260bb133a4c811348a75396477d2bc284701393137cbdad971317578c

SHA512
ab8583a6c1e0f34f937296d12b9c045c99a8d5eb61fb36e797940cb0bd65f952eb99cfcd44c56ae45d6d14ff330bde0bfbd9cf5c18fb8296bf68a64b38ef7594

Download Submit
memory/836-1287-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/948-919-0x0000000000940000-0x00000000009AE000-memory.dmp

Filesize
440KB

Download
memory/948-921-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/948-922-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/948-920-0x0000000005AB0000-0x0000000006056000-memory.dmp

Filesize
5.6MB

Download
memory/2696-1292-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3436-1289-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3592-1317-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/3592-1326-0x000000000B910000-0x000000000B920000-memory.dmp

Filesize
64KB

Download
memory/3592-1325-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/3592-1324-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/3592-1323-0x000000000B910000-0x000000000B920000-memory.dmp

Filesize
64KB

Download
memory/3592-1322-0x000000000B910000-0x000000000B920000-memory.dmp

Filesize
64KB

Download
memory/3592-1293-0x0000000000180000-0x000000000082E000-memory.dmp

Filesize
6.7MB

Download
memory/3592-1318-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/3592-1316-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/3592-1315-0x000000000BA60000-0x000000000BA70000-memory.dmp

Filesize
64KB

Download
memory/3592-1311-0x000000000B700000-0x000000000B738000-memory.dmp

Filesize
224KB

Download
memory/3592-1312-0x000000000B6C0000-0x000000000B6CE000-memory.dmp

Filesize
56KB

Download
memory/5252-1291-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download