dcrat | hxxps://drive[.]google[.]com/file/d/1tPIvS-qz7d4hHOdZav5l3nUu6vZdDEIW/view?usp=sharing

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 19:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1tPIvS-qz7d4hHOdZav5l3nUu6vZdDEIW/view?usp=sharing

Score

10^/10

dcrat credential_access discovery evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat 20 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection		msedge.exe
		5532	schtasks.exe
		5872	schtasks.exe
		5804	schtasks.exe
		4484	schtasks.exe
		1656	schtasks.exe
		2844	schtasks.exe
		2776	schtasks.exe
		3220	schtasks.exe
		5796	schtasks.exe
File created	C:\Program Files\Windows Mail\e1ef82546f0b02		SmgiBroker.exe
		1536	schtasks.exe
		5848	schtasks.exe
		5124	schtasks.exe
		4128	schtasks.exe
		3276	schtasks.exe
		5828	schtasks.exe
		744	schtasks.exe
		5036	schtasks.exe
		5128	schtasks.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5532	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5828	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5848	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5872	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5796	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2008	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	2008	schtasks.exe	102

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000002347f-173.dat	dcrat
behavioral1/files/0x0007000000023483-185.dat	dcrat
behavioral1/memory/5644-187-0x0000000000C50000-0x0000000000D82000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	sosal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	SmgiBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Idle.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	sosal.exe
5644	SmgiBroker.exe
5968	Idle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
7	drive.google.com
8	drive.google.com
13	drive.google.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\SppExtComObj.exe	SmgiBroker.exe
File created	C:\Program Files\Windows Mail\e1ef82546f0b02	SmgiBroker.exe
File created	C:\Program Files (x86)\Windows Sidebar\SearchApp.exe	SmgiBroker.exe
File created	C:\Program Files (x86)\Windows Sidebar\38384e6a620884	SmgiBroker.exe
File created	C:\Program Files\Windows Mail\SppExtComObj.exe	SmgiBroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\OfficeClickToRun.exe	SmgiBroker.exe
File created	C:\Windows\ShellComponents\e6c9b481da804f	SmgiBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sosal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3992	taskkill.exe
5460	taskkill.exe
2416	taskkill.exe
5900	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	sosal.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1860	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1656	schtasks.exe
2776	schtasks.exe
5828	schtasks.exe
5872	schtasks.exe
3276	schtasks.exe
1536	schtasks.exe
5036	schtasks.exe
5128	schtasks.exe
4128	schtasks.exe
4484	schtasks.exe
2844	schtasks.exe
5848	schtasks.exe
744	schtasks.exe
3220	schtasks.exe
5804	schtasks.exe
5532	schtasks.exe
5124	schtasks.exe
5796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1008	msedge.exe
1008	msedge.exe
3084	msedge.exe
3084	msedge.exe
1620	identity_helper.exe
1620	identity_helper.exe
5224	msedge.exe
5224	msedge.exe
5644	SmgiBroker.exe
5644	SmgiBroker.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe
5968	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5912	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	5912	7zFM.exe
Token: 35	5912	7zFM.exe
Token: SeSecurityPrivilege	5912	7zFM.exe
Token: SeDebugPrivilege	5644	SmgiBroker.exe
Token: SeDebugPrivilege	5968	Idle.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	5460	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	5900	taskkill.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
5912	7zFM.exe
5912	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	sosal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 464	3084	msedge.exe	85
PID 3084 wrote to memory of 464	3084	msedge.exe	85
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1104	3084	msedge.exe	86
PID 3084 wrote to memory of 1008	3084	msedge.exe	87
PID 3084 wrote to memory of 1008	3084	msedge.exe	87
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88
PID 3084 wrote to memory of 4064	3084	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1tPIvS-qz7d4hHOdZav5l3nUu6vZdDEIW/view?usp=sharing
1⤵
- DcRat
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6cbf46f8,0x7ffb6cbf4708,0x7ffb6cbf4718
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4814860686374973705,9903600181370880549,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5696

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\sosal.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5912

C:\Users\Admin\Desktop\sosal.exe
"C:\Users\Admin\Desktop\sosal.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Servercommon\tL3nIUGWPZSSigjR2xRZXSW8P.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Servercommon\BGdxsfRv.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
  - - C:\Servercommon\SmgiBroker.exe
      "C:\Servercommon\SmgiBroker.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5644
    - - C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5968
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im crss.exe & taskkill /f /im wininit.exe & taskkill /f /im winlogon.exe & taskkill /f /im svchost.exe
        6⤵
        
        PID:5800
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im crss.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im wininit.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im winlogon.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im svchost.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Servercommon\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Servercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Servercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ShellComponents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellComponents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Servercommon\BGdxsfRv.bat

Filesize
144B

MD5
2af807b0dc97dfb0bf964c60c7d8c6c7

SHA1
986eeb49e5b0dbed7870a574dbaf48bb560df151

SHA256
b97f49ca35b11fad71de6945e82d3cc263a84af0de99b5a789354687065e8525

SHA512
d88661cd350ede20b28fb27e862a6dc14af3ff5b836e6b15c37dd553c0c4675d49e013e20a1b2a53bca3aff65924d0391178fd87a001328c33246b19d92686d7

Download Submit
C:\Servercommon\SmgiBroker.exe

Filesize
1.2MB

MD5
8c5dad04659a6732c3af649cff339a35

SHA1
172e2c4341427bf43df1730ab4b8ea235a085097

SHA256
bd168315ff73517160c18c63220a3f14776f6480009be12d73698397e6afd262

SHA512
fbd83e7bfbd6d7f84f98040ae2a56d9a3ad8b5c9db752721dd41e3c8e226a93ad630d6d4507c8a111793a21074115a3f1ee7e70b21f8242c36d9e58ec6802b22

Download Submit
C:\Servercommon\tL3nIUGWPZSSigjR2xRZXSW8P.vbe

Filesize
197B

MD5
fd83d926076a0fe7603694bbb17e5fb6

SHA1
d6a587cf6367cb8de18ea8d6cde4e7a2f511e43d

SHA256
6578590cad20d589bc397d0a4dae85beb9bf08d80f1f9255a9d58701509c85c7

SHA512
d77896d02e62e70f6fedf996c92266f60a3e82bac4ffe03b2031e861a97a5d7f3d17d68234376631a5621bc860a442e05e5494ed32286758f5f24b09141a1258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
16fa6c524b34da6d2fee67ec7110c7c5

SHA1
aef9239db304b2cd133af3303789a6580e7f54b9

SHA256
57864a9243678f833d1fd19aec755da2b614c7016a95001e53621ca848c05bb0

SHA512
7a9828054a25d1c34c7a769a2da01a8c65fc8bffee9bb02d369b95a35410a2a2d12bce1446cf09d61e43f106f6c06f943b75ed54aecbff0e50c2fc76978ca3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
4b272a2d33589ced4ed29918030107e7

SHA1
6a83627b9c004edfaf2c2ffcf5dab24c7e3a723d

SHA256
5bd8eb97591e60409fb8ba178ef60bff04a52b69b315994895aaee8453d7f200

SHA512
e499b247372d7c7cabbe7b38a9d9d03eac12f1a4a5409e85cd857a9cc10c70a0bb4c28a3d045decebf5f1ccccf44de7592a0d937be8deac03b299c248c9a79a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
12f2a0ca45833b9fb3c3ef0be03a0e3a

SHA1
f4642746339f108e472cd4a276976ca4393686b3

SHA256
02a83e4d82cbe91a65c8a420d484497ff9624d70d8523849659952d3fa38713d

SHA512
21a15b010879b22b993b9224b014ff59ab83125292e096def167d9362c5a189bf9676942a787efd71324e09d8892d72902059e9b51b9e1d42333ccaeb6499263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9363ac219a0702fb0190d06eceda4e4b

SHA1
fa6b33cc5d7d595ec298be1158d0880b8035f811

SHA256
05c585d3b01702867f1d15433aa870a3df812a9e501d43065600d25825c500c8

SHA512
cbf0370d66aca32f4ff7938635676f7f7105d2a32398746fcfa1e2ff078fa9c70f421cccfde849cf03d6e9655f8e37708efe44247024f5fcdd2bfddd99a9d17e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c2ae879f66299a93e3709886f8a9a8d

SHA1
b8a8cf6914ed5c47cd7d09f81523aa8a7d13f3e0

SHA256
d0c987db08c7c06206c904fea979de877f62207bf6747da033b1aee952f20785

SHA512
6dc5809c945f1fbcabdd02f0c353b2b13428cdddbbd6001cfc2ef89388fce69fddfe667b0db084a096744d4ec84e77d8758dd2b0e39613c5aa50bbdf0e7cdcae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4126c3be0d2cdebf6a638ae623b57ed3

SHA1
041da7d87f0c75c33e5aa6c905792f2de3f65e46

SHA256
65a7854bb392fc60f2eaa0adb35edd99ada9a7cdc253a4f70fb223534913e390

SHA512
cb4638beb304ef6557419e3f8b06d431f59ba04ea3b87e0254be21891a4ad533ea2bf61d430c88b4085a82406ca10fa06524e02a413047253993173e216fe9e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6c50a1b1d3c7ede1b8523876ce2ea96

SHA1
c9e0cabb4012bdf0c61d48a133c7c635b7e299e3

SHA256
25805c81b2f08e3356940507cfd6f3db3fc6fc8df7a6fcc8a20ce717926bfb81

SHA512
ccd36e8a38bf63d791abef5c9f29b8dfbb3fc7d6d48e3b2b73518a9da364daa01baf300f36eab149b13eace9fea4942764faaa7dfc5e6c6b0203cea98e3d9696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7863034aa479e42b19838496cde1c4d2

SHA1
f762ce2257716e4facbfe252a992556503d16728

SHA256
6d593ca25523d6061bbb104191123f3b3ee08d0b5c6c6ecab46d802b6c48efc1

SHA512
a2d9a81b603b133dc4d78027b5d533b5f6a545c19205b4c22e03f98d348f9a2806b612c7c867728e02dfc0f43cb3cbc72f24236b1e3e569371c4f2eaae0d051d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d79817c781d298720cdacf69c5626f9

SHA1
748257797bf025812a7a84ce18772a6f2d3d1a56

SHA256
ed27f280d214979875a372dae9dd92bc3f8f2a924a8faea1c2b40e3851e164e4

SHA512
59c39ef37113e6f51f884be80eb4a890b8bbf6cfb258b1bc0f6be4eabb4c7193477ca564c5ef430443d34595b002edf0ec302ba8d522feab8b2235dd9677252e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cb036d2f89608976857aac1454735cd6

SHA1
6f625765e2d56b0b89118ff9bb53bf68e9d277f6

SHA256
5395d8d878f88ebe2da548697c3d33bfd04917bdda72e23e94aae7701e5bfb0f

SHA512
baab4821a1719f55803d0bb4a15f03d17c2798f2901ee5a61ba02ed5a28396bab4e1677a52cd73b638246bb65c8b2381455f6a5a9fc4082b92e34d3264cff5ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\Desktop\sosal.exe

Filesize
1.6MB

MD5
21467382b4e3ee8dc179a7e8f56265ef

SHA1
a90440d85bde9c08255260c2c27a5394d6fcaeb0

SHA256
e956867ba5faf054c144a64ae600f5e152138f21046c700b99da48f0854c6f8f

SHA512
ba501c970540e8cb8a57b06fc0e2acfa0284931f2c24969916587006bffb35b460ee172f06d730e592d3dd4dfed32934068d8f356e211eb6fcd9bed0a62c412c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 530496.crdownload

Filesize
1005KB

MD5
d5cb146a42318acb19c23fe03e7d0b49

SHA1
4235405fc6e90ee649bda05a5b86260ef007817f

SHA256
0112d48dbbf64dea0a50b57f68e6a7e270def45b4bfdd8e9db896566d326bd5e

SHA512
78f6ecd5aae50fa9583497d6c01035eb5161b20a7835f76d5adde5c25224011477780c33faef5c5c1f84d0b76e55c9eacf536e17f74249c36393634e4101b193

Download Submit
memory/5644-189-0x000000001B910000-0x000000001B960000-memory.dmp

Filesize
320KB

Download
memory/5644-190-0x0000000002EB0000-0x0000000002EC6000-memory.dmp

Filesize
88KB

Download
memory/5644-191-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

Filesize
48KB

Download
memory/5644-188-0x0000000001650000-0x000000000166C000-memory.dmp

Filesize
112KB

Download
memory/5644-187-0x0000000000C50000-0x0000000000D82000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads