darkcomet | 28ee0c31b4b8c0f850efd6d49073e9f2735c7587b0099190f0ca7d668c59a398

Analysis

max time kernel
57s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yes.exe
Size

251KB
MD5

61c55a38fb0de6ab47ccf098c827f9aa
SHA1

20593bb3d4b57ec87a3edb64d0492aa9dde3c259
SHA256

28ee0c31b4b8c0f850efd6d49073e9f2735c7587b0099190f0ca7d668c59a398
SHA512

e19cf44348ee6e3a3c55c5402c7c54dddedb0c8bccfeebf08aa49acf2393134c53d579521f9322461109747ea2f1e99fa4488f5e3e784324e425918f844b4ba5
SSDEEP

6144:mcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37a:mcW7KEZlPzCy37

Score

10^/10

darkcomet gcplayer23 defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

gcplayer23

4.tcp.eu.ngrok.io:19834

Mutex

GC_MUTEX-17DFY2D

Attributes

InstallPath
Pekora\pekora.exe
gencode
UuWZrVebAwmk
install
true
offline_keylogger
true
persistence
true
reg_key
Pekora

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Pekora\\pekora.exe"	yes.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pekora.exe

Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4372	attrib.exe
4392	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	yes.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	pekora.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pekora = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Pekora\\pekora.exe"	pekora.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pekora = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Pekora\\pekora.exe"	yes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
4	4.tcp.eu.ngrok.io

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x0008000000024268-6.dat	upx
behavioral1/memory/4648-62-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1736-65-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4648-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4648-67-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4648-438-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4648-590-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pekora.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878224157974347"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	yes.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5636	chrome.exe
5636	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1736	yes.exe
Token: SeSecurityPrivilege	1736	yes.exe
Token: SeTakeOwnershipPrivilege	1736	yes.exe
Token: SeLoadDriverPrivilege	1736	yes.exe
Token: SeSystemProfilePrivilege	1736	yes.exe
Token: SeSystemtimePrivilege	1736	yes.exe
Token: SeProfSingleProcessPrivilege	1736	yes.exe
Token: SeIncBasePriorityPrivilege	1736	yes.exe
Token: SeCreatePagefilePrivilege	1736	yes.exe
Token: SeBackupPrivilege	1736	yes.exe
Token: SeRestorePrivilege	1736	yes.exe
Token: SeShutdownPrivilege	1736	yes.exe
Token: SeDebugPrivilege	1736	yes.exe
Token: SeSystemEnvironmentPrivilege	1736	yes.exe
Token: SeChangeNotifyPrivilege	1736	yes.exe
Token: SeRemoteShutdownPrivilege	1736	yes.exe
Token: SeUndockPrivilege	1736	yes.exe
Token: SeManageVolumePrivilege	1736	yes.exe
Token: SeImpersonatePrivilege	1736	yes.exe
Token: SeCreateGlobalPrivilege	1736	yes.exe
Token: 33	1736	yes.exe
Token: 34	1736	yes.exe
Token: 35	1736	yes.exe
Token: 36	1736	yes.exe
Token: SeIncreaseQuotaPrivilege	4648	pekora.exe
Token: SeSecurityPrivilege	4648	pekora.exe
Token: SeTakeOwnershipPrivilege	4648	pekora.exe
Token: SeLoadDriverPrivilege	4648	pekora.exe
Token: SeSystemProfilePrivilege	4648	pekora.exe
Token: SeSystemtimePrivilege	4648	pekora.exe
Token: SeProfSingleProcessPrivilege	4648	pekora.exe
Token: SeIncBasePriorityPrivilege	4648	pekora.exe
Token: SeCreatePagefilePrivilege	4648	pekora.exe
Token: SeBackupPrivilege	4648	pekora.exe
Token: SeRestorePrivilege	4648	pekora.exe
Token: SeShutdownPrivilege	4648	pekora.exe
Token: SeDebugPrivilege	4648	pekora.exe
Token: SeSystemEnvironmentPrivilege	4648	pekora.exe
Token: SeChangeNotifyPrivilege	4648	pekora.exe
Token: SeRemoteShutdownPrivilege	4648	pekora.exe
Token: SeUndockPrivilege	4648	pekora.exe
Token: SeManageVolumePrivilege	4648	pekora.exe
Token: SeImpersonatePrivilege	4648	pekora.exe
Token: SeCreateGlobalPrivilege	4648	pekora.exe
Token: 33	4648	pekora.exe
Token: 34	4648	pekora.exe
Token: 35	4648	pekora.exe
Token: 36	4648	pekora.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4648	pekora.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 5680	1736	yes.exe	87
PID 1736 wrote to memory of 5680	1736	yes.exe	87
PID 1736 wrote to memory of 5680	1736	yes.exe	87
PID 1736 wrote to memory of 5616	1736	yes.exe	88
PID 1736 wrote to memory of 5616	1736	yes.exe	88
PID 1736 wrote to memory of 5616	1736	yes.exe	88
PID 5616 wrote to memory of 4392	5616	cmd.exe	91
PID 5616 wrote to memory of 4392	5616	cmd.exe	91
PID 5616 wrote to memory of 4392	5616	cmd.exe	91
PID 5680 wrote to memory of 4372	5680	cmd.exe	92
PID 5680 wrote to memory of 4372	5680	cmd.exe	92
PID 5680 wrote to memory of 4372	5680	cmd.exe	92
PID 1736 wrote to memory of 4648	1736	yes.exe	95
PID 1736 wrote to memory of 4648	1736	yes.exe	95
PID 1736 wrote to memory of 4648	1736	yes.exe	95
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 4648 wrote to memory of 5996	4648	pekora.exe	97
PID 5636 wrote to memory of 3444	5636	chrome.exe	121
PID 5636 wrote to memory of 3444	5636	chrome.exe	121
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122
PID 5636 wrote to memory of 2396	5636	chrome.exe	122

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4372	attrib.exe
4392	attrib.exe

C:\Users\Admin\AppData\Local\Temp\yes.exe
"C:\Users\Admin\AppData\Local\Temp\yes.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\yes.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5680
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\yes.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5616
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4392
- C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
1⤵
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
1⤵
PID:4360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
1⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
1⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffab7f5dcf8,0x7ffab7f5dd04,0x7ffab7f5dd10
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1960,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1800,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=1400,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3376,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4328,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4352 /prefetch:2
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4864,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4852,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5056,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5400,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5320,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5324,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5488,i,12543415802884561988,10404089843446016708,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:5444

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
1⤵
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
1⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Pekora\pekora.exe

Filesize
251KB

MD5
61c55a38fb0de6ab47ccf098c827f9aa

SHA1
20593bb3d4b57ec87a3edb64d0492aa9dde3c259

SHA256
28ee0c31b4b8c0f850efd6d49073e9f2735c7587b0099190f0ca7d668c59a398

SHA512
e19cf44348ee6e3a3c55c5402c7c54dddedb0c8bccfeebf08aa49acf2393134c53d579521f9322461109747ea2f1e99fa4488f5e3e784324e425918f844b4ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
761252ad698f2a8289b9fd69e8f4241c

SHA1
ddba994c785c2c7c0b60913000c913f943218eb2

SHA256
4c9993fd945274c0777c84842048797ffaa3c5561272de33a7ab819a9e5be347

SHA512
112b0bd3447f844333217f28605d682d375c36a250ab38bfb35f3ca24ab21d4a1dfecfd2fa559225914a5340ad190897101f7beea8e0289ab00e0cb648bda478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
2d0bc8c1ffe2855a954235c898b3943a

SHA1
a79c09bae779e3458f0c158f47f972fdb4c1fed9

SHA256
f6c4b1177ea67fc0e74bb8f688f6f23b75ca3f8b5d45152cb3e57e287b55e9bb

SHA512
23da3d1c2e161c3b11110de0201f6fbb771ed20c8fcaae81088e5dbf08576f282f317e72260fa7c2d12c5f848ad4b2adfb0a9fb965e86db2152d96d84aa2e5a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0105e403c3dd2c947ec4886b2e55601e

SHA1
c292fb08d1ba20ddae5bb18f5e908881ecae06d5

SHA256
905ee338a5a3238b230cc7ede6014ba717d819ca38b22d3641592365c2f45f64

SHA512
4eab501a59604e1d741f1cc53948bc7cb2577b45bbc5798e4771f0a3a1da1652e535ba5626847bfd6ac3b22642a93b4e7d5b44cf4d542b4846d82198e762b548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
ba850f469f568437ec15c635820102a5

SHA1
0019448bac0ea5ed69bdabda686c4ee9cbc1817f

SHA256
da01a205ab984166977c9ce01b7bf3c18a16a04125d79efb09314e6ee4703942

SHA512
2bb5529a2d1e3fd34c8aa0ad729bb2e3b5c199bae77c3ddcd7470909780b2d104fd1820d30651a1814cf5c131e66b0197836cd902e5096ec8488d76d1017fe7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd61594e780a2c9d59da51e38fea40f1

SHA1
94e15395271208215badd2116ff12025f1c369d0

SHA256
f9afff01a5e869a4aacc1d5675de0cc0e8285559f58b78c8a5c4f3c926799460

SHA512
bec7814b4a1fea50c97aa8bf255ea002f79776d4e99a00d2b3954e404bfa97fda951f8156573f5cd068af3b6b0668976bfcb89d4fd9d51180d104670878577ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
3e6fe8c98708c6aa3e02731facf538f4

SHA1
01e19af224ba726f723fe26799daa96348c22169

SHA256
9466599c3f740d6d3e6d1e9180eb59ec5c64286803ae15c63b4fbea5a84e7119

SHA512
5f761b247512c7ab37b9b034c0998e73d125e16e75c585ff0797429b0c62388942c2297d43c5b372b0d3c4e9b5799864e38f07168bfb77159647bad369aa433a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cc99a69d44102b5559f82af1356dacbb

SHA1
3d276012a0cdb7c77c886152b1d9040f3ddec1b0

SHA256
98a72ef66ed90ab182dc8c04f912557bcc3b3426ffc97bf5a338bcac68d94073

SHA512
db1621338b34089e8245598e32e3291620f5ab00a95d3985bcfdff70ee7f0fec8475eff8c37139d34c2a41fe184f363055ff9258d50847141c30fac40c849b78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ea60.TMP

Filesize
48B

MD5
877630b0175c9ab6320d3a629aa79fb9

SHA1
2d0a5b3fa9b5267d9c94ef8401304a9e93b5308d

SHA256
bf45ce36286dfbceb45fa641d0af9051b879b561e0e423571e0327ec7d641aa2

SHA512
f2282c8253a6eedf2a07b53c27b6dabd433fba90dad0d74311995297c205a6709eb7fa3e49383c6732e022eb7c8cfc4ed270820c37ea2645bdb944c36953fcbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
9f7a070c430eb0d3a79ff3b83f1db9ff

SHA1
6e4d1162925120ca71c9ea9f166650b3af42dbfc

SHA256
30de7d643f56e29471ba8e8f395b1f6afb6c36ce88e05a7f79aaaf4d1ff899d5

SHA512
1d6dcd65ca4c5027fe1ddf72c35af1f129b280af8b2c5db87ae459b60043fe8fefcc8494fcae486cbf8329a27bd8ba915e80de0f53ab29f045a14a8492e4fbda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
46394ca15ea9d861e639a0cc6adb4a03

SHA1
c7f485c53f56a258c6dcc2508abd6059a1195b08

SHA256
a476bfbdd4fdc9030230c1bec70b74b38c3b151e8897571ab55263d645421ab5

SHA512
77e442a2f7226e46c86871e0dafcced69d62105228d4cfd4d4a0a82564c2bfb6fdbf3aa79495d4eb487349a9640bce7bbb7275c7e5b264493ebc0b48cb5ddaca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
ce964985a0e97c526bd2f28292312620

SHA1
3b63307819659bba45d2fd79d022b27c6f8c5b22

SHA256
3a4a95662c2981039e9802ea9955fbc1b5cf3c35d98068ef9a37c5050d24fd29

SHA512
44037d53b3a5fd380e7a4750268ba94a70f084d8e0b8d928089072b6c56a1c54c7aabe256b9a433185ba6ba44523c18498ff40a1d7f0ce81af3fc717418e8561

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5636_909865517\6f6b6f12-09fd-4fc8-aa05-63cd94ccdb54.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/1736-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1736-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1736-1-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4648-438-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4648-67-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4648-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4648-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4648-590-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5996-63-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download