Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2023 17:49
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
1.4MB
-
MD5
8db8ac6d19be3b52641ea16e209b9ea4
-
SHA1
602bcfe9d5721eb745984cd78282493123a6cdf4
-
SHA256
e7dceabe18dfe33021fa25c3b804bc1301e59f76718742b5eb26f3979086c3e0
-
SHA512
301676215c3591ad203e141add1236f26fe999ee492e545d8b64f2047d11f5d2b5b210f8cf318bfdd1a53a215e02dcd14480e9d3508e021dec296e1dd255ed91
-
SSDEEP
24576:vFBr1R5kl7kHeIg+jQ0SBpxhtL6VEP5bCKCyzHAc:vX5yQ+IVUv5bCKCV
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\sihost.exe\"" tmp.exe -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2724 schtasks.exe -
Processes:
sihost.exetmp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 4292 sihost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:/Users/Admin/AppData/Local/\\sihost.exe\"" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:/Users/Admin/AppData/Local/\\sihost.exe\"" tmp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
tmp.exesihost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 ipinfo.io 42 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c0c7ff55-6e22-4f75-9f6a-14128972a091.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230527195011.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 880 schtasks.exe 820 schtasks.exe 852 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
tmp.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
tmp.exesihost.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4960 tmp.exe 4292 sihost.exe 4292 sihost.exe 4292 sihost.exe 4292 sihost.exe 4292 sihost.exe 4292 sihost.exe 4292 sihost.exe 4292 sihost.exe 4292 sihost.exe 2856 msedge.exe 2856 msedge.exe 3992 msedge.exe 3992 msedge.exe 4384 identity_helper.exe 4384 identity_helper.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe 668 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sihost.exepid process 4292 sihost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exesihost.exedescription pid process Token: SeDebugPrivilege 4960 tmp.exe Token: SeDebugPrivilege 4292 sihost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.exesihost.exemsedge.exedescription pid process target process PID 4960 wrote to memory of 4000 4960 tmp.exe cmd.exe PID 4960 wrote to memory of 4000 4960 tmp.exe cmd.exe PID 4000 wrote to memory of 1016 4000 cmd.exe w32tm.exe PID 4000 wrote to memory of 1016 4000 cmd.exe w32tm.exe PID 4000 wrote to memory of 4292 4000 cmd.exe sihost.exe PID 4000 wrote to memory of 4292 4000 cmd.exe sihost.exe PID 4292 wrote to memory of 3992 4292 sihost.exe msedge.exe PID 4292 wrote to memory of 3992 4292 sihost.exe msedge.exe PID 3992 wrote to memory of 1896 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1896 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1288 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 2856 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 2856 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe PID 3992 wrote to memory of 1108 3992 msedge.exe msedge.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
sihost.exetmp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tmp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mShYUv1mtZ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Users\Admin\AppData\Local\sihost.exe"C:/Users/Admin/AppData/Local/\sihost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13090/4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9623f46f8,0x7ff9623f4708,0x7ff9623f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6633e5460,0x7ff6633e5470,0x7ff6633e54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6376521532317309002,5719088100598389831,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4296 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ae2c65ccf1085f2a624551421576a3ee
SHA1f1dea6ccfbd7803cc4489b9260758b8ad053e08e
SHA25649bfbbfbdb367d1c91863108c87b4f2f2cfffbbbb5e9c1256344bc7f52038c54
SHA5123abbfbb4804c6b1d1a579e56a04057f5d9c52cfd48ecbae42d919398f70da2eacd5a35cb3c3d0a559ad3515fadb1734b0d47be48dce0fdd9fd11578948a6c7ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD50ee132ffeccb52306a608318b87b93f6
SHA1ed63bcd85331172abe521ccd7ca271920399d638
SHA256cecb8f508fcb158e29d447d643e99e2be769a47555eb4d8246140d4557af6f58
SHA5129198761db876a380b09a7570377408362f893d9f1c3d41135e0997674239cde5e8765ecac6500084d1c02ad8a79fa5b058d2ccefabce635e2ca2ae00099f3ddb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD536547c21532411666c8c4ad39134d026
SHA19404fa8acec92a7b03fbcb6492c21013a6ded746
SHA25636fb6fb6f10ffccca0875f86e675006e10a69f7c9c8a6501999b32d999d1d4a1
SHA512c33d482cc736612e057efd2b5db5958a5173b0d9e92bcdeceffc474318bde68ca89bee9aeac34b9607ea3d3a8f1a0e46ebd53c53ad41968825b79fbaedb6de46
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD58a91461162b0aed09539d467d664e6c2
SHA16ce45970e1801220e04d80cc9e31482b0c429348
SHA256bde6d33cdd255d8cbd5eb8c1d1bc6469a666f8c739ae2cee7bb993c3a971d30f
SHA51289cba3d544fa7cb068a0ed3535894cc1e223b107886da1d57ee04f4697f9fe84cab2bb0a5c579d0227c845eacf2396f6b7ad26df09c0a7b6338f00e7e0078d1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD589a4825c1233e8be2695aad946029304
SHA1a96fbe910c59ec9c787cae05feeac3ae964606d1
SHA256552d7ac020358516e28a0c2db80384a533e855a641154aba48bf52fb0dd94555
SHA512d62e0aabd645386c20aaed41f87fb904162578e46969d5d19f22ea94bf6acee4f93ecf84918c97c5156b61a40dd72a0593cebc592becf035a33f55db014faf21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5b3fbb8a02260d5e41407a7e1af3ee2f6
SHA19180c8b9593405936b0fe52272571b63829525d4
SHA2568c1434a31409aa606a51bdae37e0853597cb408a2cf199f05e02705df3fc15de
SHA5128a6ec40722054025a8969a80e795b026fc806a0710eb2f9e016feb68cc09a19333404a8a62910e9b0335729fd64e8e1b6250513ffc334dc8d669d96de62eb5d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5cfd585ce0db9a1484f8223dc2cfce2f8
SHA14e5e287160c05ecdff8acdfa0899faa5bad4de82
SHA2560bcae3ddcadfadb917e4f910daefde07af8d2708b7795f3a1146102dcf6cf445
SHA512b45dd6c3231a79155508d807d4b6f839d49e6120841c4f31147a83039515d3358822fa1fa4ae6f770b4369b96f221326c0b80dc2f0cd99d605440b12c93fb648
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD59b7b7d22354e919370f34484e25492f9
SHA12e60604169f666d0fa4e2e274623ae91b27895ac
SHA2565a7a0111cbd2e5022261feac41e045794f6add09222691244424e703df3a3186
SHA5121ef5f60c75871153eb8fa3e393d2393505af829842eef7933ca56a166806a8ba46f1dd32c57fec6c4b051ab95738f87611b39b2946948d1901be143aa76494fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD52dc93a6e33002be531c6cddbfe9d2036
SHA15fae07febe23d293d33ee5fdd836cf713a4026c0
SHA256ca7c58d832763fdbed40a43fbdfb2cac9f40535953c2220c28a90f1589101494
SHA5126939d4eb10818529d56c8366c55e3f9703005c3bb88c4c372845058116548e9dddca1594759c6a5a820bfe61b6b917853fbf9b0e7bbe04ea0a8ac4e5c8a52659
-
C:\Users\Admin\AppData\Local\Temp\mShYUv1mtZ.batFilesize
205B
MD5c1004a0c7fb20123cec37bc54103f06c
SHA1294a6e78c373695bd487c72cf1204a545c9a261a
SHA2561793456d9069da102d072201265ba13823c05c802ab59c4363069b2817f92b7c
SHA5127f49970900d043858e913ac15b49f929f59174a5d8e371cb41ef32d8d7d2c8b7c79c886427b4c243fb495704be0aa0d8d51b4d2153a8ead2c913468f0b5e99e4
-
C:\Users\Admin\AppData\Local\sihost.exeFilesize
1.4MB
MD58db8ac6d19be3b52641ea16e209b9ea4
SHA1602bcfe9d5721eb745984cd78282493123a6cdf4
SHA256e7dceabe18dfe33021fa25c3b804bc1301e59f76718742b5eb26f3979086c3e0
SHA512301676215c3591ad203e141add1236f26fe999ee492e545d8b64f2047d11f5d2b5b210f8cf318bfdd1a53a215e02dcd14480e9d3508e021dec296e1dd255ed91
-
C:\Users\Admin\AppData\Local\sihost.exeFilesize
1.4MB
MD58db8ac6d19be3b52641ea16e209b9ea4
SHA1602bcfe9d5721eb745984cd78282493123a6cdf4
SHA256e7dceabe18dfe33021fa25c3b804bc1301e59f76718742b5eb26f3979086c3e0
SHA512301676215c3591ad203e141add1236f26fe999ee492e545d8b64f2047d11f5d2b5b210f8cf318bfdd1a53a215e02dcd14480e9d3508e021dec296e1dd255ed91
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD56be8479da1fa13d6432fe9143d5d0a24
SHA120aa34d3880b4d3a07be1d96d316f647193e6daf
SHA2569dc2dba815683bba9af237f463920f23943329070d810701227c08374e98bc15
SHA512433463e3d7b073adeef84d7e0f1091411eee4a8ea3f78548819573cd2ade85e6bf3e37d615f8b470cc7608a3dc8674a65b48587da0e31dcafb88d8a19636cb05
-
\??\pipe\LOCAL\crashpad_3992_PDDIODFEXIEEVLBEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4292-147-0x0000000001750000-0x0000000001760000-memory.dmpFilesize
64KB
-
memory/4960-133-0x0000000000900000-0x0000000000A6E000-memory.dmpFilesize
1.4MB
-
memory/4960-137-0x000000001B780000-0x000000001B790000-memory.dmpFilesize
64KB
-
memory/4960-134-0x000000001BEE0000-0x000000001BF30000-memory.dmpFilesize
320KB