dcrat | 37b1874b580fc0c5896b06bd5ae855d66d15ab2be63408c0bda9dbd9441c0b13

Analysis

max time kernel
153s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AllergiesList/Allergies List and Allowed Substances.numb05151.pdf.scr
Size

920.3MB
MD5

491c5ac82977262ef24bd22ad312c622
SHA1

1f0555370f07e94182059701f63e940429757157
SHA256

ea770032c44e773b9c9865d4ff3bfb10f76b003ace1bbfbe45755ffff227e5fe
SHA512

a9974fe623a979e12d8493200f36aa4aab5763ea97ed4d5924fb1f579038d686bb10d789d576343ce4ca4c8a4657ed9404b7ffb52f701f6f880eb75e766f6734
SSDEEP

393216:rc8yiMPNWZV4nXF12elEA7YKsHES/Sl50l:rcOMPNWTM2elpBtSwW

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1736-133-0x0000000000320000-0x0000000002C86000-memory.dmp	dcrat
behavioral2/memory/1352-8724-0x0000000000400000-0x00000000004D0000-memory.dmp	dcrat

.NET Reactor proctector 34 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/1736-133-0x0000000000320000-0x0000000002C86000-memory.dmp	net_reactor
behavioral2/memory/1736-135-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-136-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-138-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-140-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-142-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-144-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-146-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-148-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-150-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-152-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-154-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-156-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-158-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-160-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-162-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-164-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-166-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-168-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-170-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-172-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-174-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-176-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-178-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-180-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-182-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-184-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-186-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-188-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-190-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-192-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-194-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-196-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor
behavioral2/memory/1736-198-0x000000001DA20000-0x000000001DB70000-memory.dmp	net_reactor

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 ipinfo.io
48 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scr

description pid process target process

PID 1736 set thread context of 1352 1736 Allergies List and Allowed Substances.numb05151.pdf.scr MSBuild.exe

flow	ioc
47	ipinfo.io
48	ipinfo.io

description	pid	process	target process
PID 1736 set thread context of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\129945ae-67d7-4057-a8c9-398bebea062f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230607041033.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scrMSBuild.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1736	Allergies List and Allowed Substances.numb05151.pdf.scr
1736	Allergies List and Allowed Substances.numb05151.pdf.scr
1736	Allergies List and Allowed Substances.numb05151.pdf.scr
1736	Allergies List and Allowed Substances.numb05151.pdf.scr
1736	Allergies List and Allowed Substances.numb05151.pdf.scr
1736	Allergies List and Allowed Substances.numb05151.pdf.scr
1352	MSBuild.exe
1352	MSBuild.exe
1352	MSBuild.exe
1352	MSBuild.exe
1352	MSBuild.exe
1352	MSBuild.exe
1352	MSBuild.exe
1352	MSBuild.exe
1352	MSBuild.exe
1796	msedge.exe
1796	msedge.exe
1772	msedge.exe
1772	msedge.exe
3100	identity_helper.exe
3100	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

1772 msedge.exe
1772 msedge.exe
1772 msedge.exe
1772 msedge.exe
1772 msedge.exe
1772 msedge.exe
1772 msedge.exe
1772 msedge.exe
1772 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scrMSBuild.exe

description pid process

Token: SeDebugPrivilege 1736 Allergies List and Allowed Substances.numb05151.pdf.scr
Token: SeDebugPrivilege 1352 MSBuild.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1772 msedge.exe
1772 msedge.exe
1772 msedge.exe

pid	process
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

description	pid	process
Token: SeDebugPrivilege	1736	Allergies List and Allowed Substances.numb05151.pdf.scr
Token: SeDebugPrivilege	1352	MSBuild.exe

pid	process
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Allergies List and Allowed Substances.numb05151.pdf.scrMSBuild.exemsedge.exe

description	pid	process	target process
PID 1736 wrote to memory of 2708	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 2708	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 2708	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1096	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1096	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1096	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 2620	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 2620	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 2620	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1736 wrote to memory of 1352	1736	Allergies List and Allowed Substances.numb05151.pdf.scr	MSBuild.exe
PID 1352 wrote to memory of 1772	1352	MSBuild.exe	msedge.exe
PID 1352 wrote to memory of 1772	1352	MSBuild.exe	msedge.exe
PID 1772 wrote to memory of 1960	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 1960	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 2832	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 1796	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 1796	1772	msedge.exe	msedge.exe
PID 1772 wrote to memory of 1932	1772	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\AllergiesList\Allergies List and Allowed Substances.numb05151.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\AllergiesList\Allergies List and Allowed Substances.numb05151.pdf.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12752/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd935746f8,0x7ffd93574708,0x7ffd93574718
4⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
4⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
4⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
4⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
4⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
4⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
4⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
4⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
4⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
4⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6b62d5460,0x7ff6b62d5470,0x7ff6b62d5480
5⤵
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
4⤵
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
4⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2973588730665484942,16082154992293531438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
4⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
81bbc63c052a6f7624e9e8474b025d65

SHA1
6587b91efa43ebe7fe33708dfe4755c8f363f1fb

SHA256
2e197d52071af251a7d7de3eb99c975cf32011aa90d91b380dec87c9208dcdf1

SHA512
d4e66fe0b5affa7ec0ee7829923d7d4755fbca25f8218c0fbd84f705164816797d8f35b9b937e0f1696b763f006c804b3fad671e83e27ae49e7838276742f2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
a734603b6ea0c136f40034debc08fca0

SHA1
90827aa4101c44930c9665792fe6fd99872b267e

SHA256
f5d1fa606f32790556d016affb2de52e10433dec2eea898405916fd19320130b

SHA512
17c86bb7fe8cae0cbbbe9dae5a67fa8e37cdbcfa50c2d48b7c915001dc8f44ce4f3dc2d66b1129a845cbbb72451f855dd609683d68ab8d00201fee8031f0e4aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7008e5aca6829cb20ae7bcc857918865

SHA1
eab53afa744838db21e442630ce76cfb347c9920

SHA256
b120de458976424b7f6983280d9dca44665e73a7b98a63d771ae8ea29e690a7d

SHA512
2413968595919014ff1389c3db89cdbc70e4c9e03fffdd019c16bddcfa8cfc428cb2732d42fc50ef9877426cbd62875f9c59d30d41ae611ac714134e9273a7f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4e51db3bc1465fb7c33c7fe9b6398a23

SHA1
365aa39b181eed87c5e7af425273611fee9d0374

SHA256
15ef3eadb3e21d7929d043bed778a60b193b5a222ce1b8e1cb3869c3cc58524b

SHA512
10f4ae171d455ad1c70b27b301526163a593056e9450c7e4213f4ba447e924bb814f2288fea5dcb0537dd8dbd630403759e1495e339972e889376908f3d576c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a7aae254859c4e9e0a087127ca929858

SHA1
5d9aee856f18ddba15e47e6a82ae84158f789acf

SHA256
590aea0e28221da9db644fcf2cfc83ff4d7b47ef36f4f1293ded714856706b51

SHA512
c0682ade2df9573af21197b06edc226b55775f623beb29443e6630697e53e759f271cc8c596fde33820059f8d0ae421ee66a5a0566092d72f6e433821395f089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
bc5f988722f72244e9a4aa8e1d6a0ee2

SHA1
4a132601b1d75fe013d364df95b711223eb9f742

SHA256
8ae99505d61450350ed2799d1bcca3cf9bcd4dd2e6a99cfcfcb2e929704592d9

SHA512
be7c42520bfe8aa8a966881190240bfef15471e84c4dad78ee3c3c0adc14d02e24f6eb950a68914d5870d51c4e91e42cb91eaedc69c360cb9cdc70c40d0cea2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
ab0e6ef21f9520fe0b417d26afddd3ab

SHA1
a80275a66d7a5d827a2475367b74516812afa7b7

SHA256
c8fe2e7c0dfe40472294fff8fef3b41142cafbc3c2be3cce7ad377aae984962c

SHA512
2b657f52e0d1ee8cf7acbf19368da5456795a79a8d6430ea27ced9dc7959b7fb1794700db376de8c77c1fb754537853c8e9d4ca38d73f56fa00c3bdc80f436e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
264274888cbcfbfb780b97e13048772f

SHA1
3c01fbffb63284567beb551419225b77c1db391e

SHA256
75af7b158cd6dd2e4e3fe3558a465762600b444335755f3ea6e06c402e53bf5c

SHA512
86edb90c44a009a012aa9c6abba121d51e6945623659e0f5ee656dbf1301c23a4ceb95fc80f87ccc1c111eaf69e0554573a055a65b8f28fa99dc6a6896aace80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
7ed214b6908b3c5658a92bb034cdefec

SHA1
e3dd17fadcf2a6630e9565927ed6a38f78d375ff

SHA256
273a1f5d36ee864a0b26fc959269836b89af52a5030b27bba6388958c200d6f9

SHA512
0a59de25ea564ce4596ffadc53605eb161fd7e0de2f4bc08a31120b07eb5f293141d5324e9dbe7680b32d8ab0449997fb180987137b7906f0267214242bab454

Download Submit
\??\pipe\LOCAL\crashpad_1772_JZIDYIFPBMSRIZAP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1352-8732-0x00000000076C0000-0x0000000007BEC000-memory.dmp

Filesize
5.2MB

Download
memory/1352-8724-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1352-8731-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1352-8730-0x0000000006C80000-0x0000000006E42000-memory.dmp

Filesize
1.8MB

Download
memory/1352-8729-0x00000000061C0000-0x0000000006226000-memory.dmp

Filesize
408KB

Download
memory/1352-8728-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/1352-8727-0x0000000005910000-0x0000000005960000-memory.dmp

Filesize
320KB

Download
memory/1352-8726-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1352-8725-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/1736-160-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-168-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-188-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-190-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-192-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-194-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-196-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-198-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-1150-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1736-184-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-182-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-180-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-178-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-176-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-174-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-172-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-170-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-186-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-166-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-164-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-162-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-133-0x0000000000320000-0x0000000002C86000-memory.dmp

Filesize
41.4MB

Download
memory/1736-158-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-156-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-154-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-152-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-150-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-148-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-146-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-144-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-142-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-140-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-138-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-136-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-135-0x000000001DA20000-0x000000001DB70000-memory.dmp

Filesize
1.3MB

Download
memory/1736-134-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download