bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
324s
max time network
327s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor discovery

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

msedge.exe

flow	ioc
174	zirabuo.bazar
184	zirabuo.bazar
198	zirabuo.bazar
200	zirabuo.bazar
138	zirabuo.bazar
177	zirabuo.bazar
152	zirabuo.bazar
164	zirabuo.bazar
180	zirabuo.bazar
189	zirabuo.bazar
190	zirabuo.bazar
201	zirabuo.bazar
203	zirabuo.bazar
136	zirabuo.bazar
139	zirabuo.bazar
148	zirabuo.bazar
150	zirabuo.bazar
162	zirabuo.bazar
183	zirabuo.bazar
143	zirabuo.bazar
157	zirabuo.bazar
159	zirabuo.bazar
168	zirabuo.bazar
179	zirabuo.bazar
181	zirabuo.bazar
151	zirabuo.bazar
160	zirabuo.bazar
166	zirabuo.bazar
167	zirabuo.bazar
172	zirabuo.bazar
173	zirabuo.bazar
188	zirabuo.bazar
140	zirabuo.bazar
178	zirabuo.bazar
187	zirabuo.bazar
196	zirabuo.bazar
141	zirabuo.bazar
165	zirabuo.bazar
154	zirabuo.bazar
170	zirabuo.bazar
185	zirabuo.bazar
192	zirabuo.bazar
197	zirabuo.bazar
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
135	zirabuo.bazar
169	zirabuo.bazar
182	zirabuo.bazar
202	zirabuo.bazar
146	zirabuo.bazar
161	zirabuo.bazar
175	zirabuo.bazar
186	zirabuo.bazar
193	zirabuo.bazar
149	zirabuo.bazar
153	zirabuo.bazar
155	zirabuo.bazar
156	zirabuo.bazar
163	zirabuo.bazar
195	zirabuo.bazar
147	zirabuo.bazar
158	zirabuo.bazar
194	zirabuo.bazar
199	zirabuo.bazar
134	zirabuo.bazar

Downloads MZ/PE file

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
168	zirabuo.bazar
188	zirabuo.bazar
137	zirabuo.bazar
150	zirabuo.bazar
155	zirabuo.bazar
172	zirabuo.bazar
196	zirabuo.bazar
149	zirabuo.bazar
157	zirabuo.bazar
162	zirabuo.bazar
175	zirabuo.bazar
176	zirabuo.bazar
134	zirabuo.bazar
135	zirabuo.bazar
156	zirabuo.bazar
192	zirabuo.bazar
194	zirabuo.bazar
179	zirabuo.bazar
181	zirabuo.bazar
184	zirabuo.bazar
163	zirabuo.bazar
166	zirabuo.bazar
191	zirabuo.bazar
199	zirabuo.bazar
140	zirabuo.bazar
151	zirabuo.bazar
159	zirabuo.bazar
187	zirabuo.bazar
190	zirabuo.bazar
202	zirabuo.bazar
165	zirabuo.bazar
182	zirabuo.bazar
186	zirabuo.bazar
169	zirabuo.bazar
180	zirabuo.bazar
185	zirabuo.bazar
145	zirabuo.bazar
147	zirabuo.bazar
158	zirabuo.bazar
136	zirabuo.bazar
167	zirabuo.bazar
174	zirabuo.bazar
171	zirabuo.bazar
183	zirabuo.bazar
198	zirabuo.bazar
160	zirabuo.bazar
195	zirabuo.bazar
200	zirabuo.bazar
144	zirabuo.bazar
148	zirabuo.bazar
154	zirabuo.bazar
170	zirabuo.bazar
173	zirabuo.bazar
189	zirabuo.bazar
203	zirabuo.bazar
138	zirabuo.bazar
153	zirabuo.bazar
161	zirabuo.bazar
177	zirabuo.bazar
142	zirabuo.bazar
152	zirabuo.bazar
164	zirabuo.bazar
141	zirabuo.bazar
146	zirabuo.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	87.98.175.85
Destination IP	104.238.186.189
Destination IP	159.89.249.249
Destination IP	185.117.154.144
Destination IP	51.255.48.78
Destination IP	159.89.249.249
Destination IP	87.98.175.85
Destination IP	188.165.200.156
Destination IP	192.99.85.244
Destination IP	147.135.185.78
Destination IP	82.196.9.45
Destination IP	77.73.68.161
Destination IP	178.17.170.179
Destination IP	144.76.133.38
Destination IP	139.59.208.246
Destination IP	46.101.70.183
Destination IP	46.101.70.183
Destination IP	81.2.241.148
Destination IP	169.239.202.202
Destination IP	81.2.241.148
Destination IP	87.98.175.85
Destination IP	89.18.27.167
Destination IP	128.52.130.209
Destination IP	87.98.175.85
Destination IP	162.248.241.94
Destination IP	172.104.136.243
Destination IP	82.196.9.45
Destination IP	89.18.27.167
Destination IP	185.164.136.225
Destination IP	167.99.153.82
Destination IP	51.255.48.78
Destination IP	69.164.196.21
Destination IP	193.183.98.66
Destination IP	167.99.153.82
Destination IP	172.104.136.243
Destination IP	104.37.195.178
Destination IP	198.251.90.143
Destination IP	5.132.191.104
Destination IP	82.196.9.45
Destination IP	142.4.205.47
Destination IP	45.71.112.70
Destination IP	159.89.249.249
Destination IP	192.52.166.110
Destination IP	51.254.25.115
Destination IP	144.76.133.38
Destination IP	5.135.183.146
Destination IP	92.222.97.145
Destination IP	31.171.251.118
Destination IP	158.69.160.164
Destination IP	45.63.124.65
Destination IP	139.99.96.146
Destination IP	82.196.9.45
Destination IP	159.89.249.249
Destination IP	163.172.185.51
Destination IP	51.255.211.146
Destination IP	66.70.211.246
Destination IP	185.208.208.141
Destination IP	185.121.177.177
Destination IP	185.121.177.177
Destination IP	91.217.137.37
Destination IP	45.71.112.70
Destination IP	77.73.68.161
Destination IP	176.126.70.119
Destination IP	77.73.68.161

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

344 raw.githubusercontent.com
345 raw.githubusercontent.com
362 raw.githubusercontent.com

flow	ioc
344	raw.githubusercontent.com
345	raw.githubusercontent.com
362	raw.githubusercontent.com

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

CefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exe

pid	process
4304	CefSharp.BrowserSubprocess.exe
2576	CefSharp.BrowserSubprocess.exe
3896	CefSharp.BrowserSubprocess.exe
3100	CefSharp.BrowserSubprocess.exe
4756	CefSharp.BrowserSubprocess.exe
3248	CefSharp.BrowserSubprocess.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exemulti.exeNyx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	multi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nyx.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeNyx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Nyx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Nyx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Nyx.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

Nyx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Nyx.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133680374094187299"	Nyx.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeNyx.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exe

pid	process
3636	msedge.exe
3636	msedge.exe
3772	msedge.exe
3772	msedge.exe
1148	identity_helper.exe
1148	identity_helper.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
1436	msedge.exe
1436	msedge.exe
2976	Nyx.exe
2976	Nyx.exe
4756	CefSharp.BrowserSubprocess.exe
4756	CefSharp.BrowserSubprocess.exe
3248	CefSharp.BrowserSubprocess.exe
3248	CefSharp.BrowserSubprocess.exe
3100	CefSharp.BrowserSubprocess.exe
3100	CefSharp.BrowserSubprocess.exe
4304	CefSharp.BrowserSubprocess.exe
4304	CefSharp.BrowserSubprocess.exe
2576	CefSharp.BrowserSubprocess.exe
2576	CefSharp.BrowserSubprocess.exe
3896	CefSharp.BrowserSubprocess.exe
3896	CefSharp.BrowserSubprocess.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXENyx.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exe

description	pid	process
Token: 33	2092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2092	AUDIODG.EXE
Token: SeDebugPrivilege	2976	Nyx.exe
Token: SeDebugPrivilege	4756	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3248	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3100	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeDebugPrivilege	4304	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	2576	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeDebugPrivilege	3896	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe
Token: SeCreatePagefilePrivilege	2976	Nyx.exe
Token: SeShutdownPrivilege	2976	Nyx.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exeNyx.exe

pid	process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
2976	Nyx.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dl2.exedl2.exe

pid process

3424 dl2.exe
2028 dl2.exe

pid	process
3424	dl2.exe
2028	dl2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3772 wrote to memory of 1980	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1980	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2428	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3636	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3636	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3512	3772	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- BazarBackdoor
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4d1446f8,0x7fff4d144708,0x7fff4d144718
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {14A6B8A1-2FCE-44C5-8632-0520E90DF713}
1⤵
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1904

C:\Users\Admin\Downloads\Nyx\Nyx.exe
"C:\Users\Admin\Downloads\Nyx\Nyx.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2976
- C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3568,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3580 --mojo-platform-channel-handle=3564 /prefetch:2 --host-process-id=2976
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=3684,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3692 --mojo-platform-channel-handle=3676 /prefetch:3 --host-process-id=2976
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=3720,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3764 --mojo-platform-channel-handle=3768 /prefetch:8 --host-process-id=2976
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=renderer --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=5144,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5200 --mojo-platform-channel-handle=5196 --host-process-id=2976 /prefetch:1
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=renderer --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=5152,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5256 --mojo-platform-channel-handle=5248 --host-process-id=2976 /prefetch:1
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=5760,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5576 --mojo-platform-channel-handle=5672 /prefetch:8 --host-process-id=2976
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5148

C:\Users\Admin\Downloads\Nyx\lib\multi.exe
"C:\Users\Admin\Downloads\Nyx\lib\multi.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CEF\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Preferences

Filesize
6KB

MD5
6c82bfae38ab4731d6d69b0ef17f03ef

SHA1
e0cfcff986e3daa8b1ca466120c8eecf7a91a0b6

SHA256
fa824e52c3cdc84e2a8dc517bc0f6c12577af29eaeff04b820ab59a3ea2f0707

SHA512
322a7044e033101122d2638d854e6bd6523b6bd4c148b989dba249148949bed3a0870f3abb74b76e35f4b6941b0fd6c8b1d99ff1d754c64aee7db2e41b04c78f

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Preferences~RFe5c3291.TMP

Filesize
6KB

MD5
e2b431a7ba302efe3c038a0a35209a6a

SHA1
57f38cce2ba372a9993e32a04f3713f2c44ce219

SHA256
ba0c98a46f72ae3937e0c87c7f3e16ccd05935c88aa95c6c7bb424f946576538

SHA512
2c852dbe30c2334b91b1f68a18d5f377111589af2cc6f548aabe20333074fc2c9c35e0132634cc423087404147f6414e7ef74ba9293e0b790ae9610160a85abd

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
1KB

MD5
a5b4b5eaa2c11bca8795819d20bca67c

SHA1
16a6eee62b60ad40ee277abf83ed5607025337e8

SHA256
5275d8a2126e2a005876616047ef3012b9552e563729a7aa4fa7a7300eb79878

SHA512
b316ce9092deda255e10038a283bfcbfa2ae550b09d4ba128dc0346848d837bb7efcee4283632572dc72e5b6dcf6feda82657b44cade21a1cd26be9a32a3f93c

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
2KB

MD5
54ddc4f23d6b68807d28535a5f62ef3e

SHA1
da1d1b181295c230fcc734b574f4909c423e5fd6

SHA256
b7ac29c32314cbd53df5cd97c08b2d4d50fbc8023219bb717c2dd143369af917

SHA512
1ecb2a388d116185c638d6cda97ca91f3e3ec11f48513592c0947c88258f1be7ffc71f76104b34891b1bd0c3df6379eab3973e3809dae95873ef8de44c06d053

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State~RFe5b9622.TMP

Filesize
889B

MD5
b12724005607069ddc2c008bc61609ed

SHA1
91b7cf3fab838766ea007424c66298a4a23953b6

SHA256
f22cc27c69a26ef694ccdc1b0cc96826ad8bcfe4ce071003e41bfb1fc081e25a

SHA512
9bb79b671952d36f93eec35ec50742e643164b59b30296d3f44a87c5cafcf64af3fd88a511b69a251faef8721fc858ddcad4a04d35c17fb8874e456180bdbe03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0f3a7c79ef7d2688d9e2fece83a8963f

SHA1
ee8741e13b7c94b145946c2cb3db4e139d9a0c7c

SHA256
cb097c344b9f296bac6fb8a4bfb65d3d97bd4bd3d7273c7a922b8eb850a614d0

SHA512
7a2a3550ffd80b344406470cb906dc1cdcc2abd4d0f05b7c0f6df7d22a298151c5ca2d1bef2a15193da5ef3ecc299ac2d0a6c9907434e8f87ae1bd1fd5e5a206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

Filesize
3.5MB

MD5
1dad533956e7c6fb010efee531839804

SHA1
144f176d06b481d6f74e28d2dbe42b13f74fe86b

SHA256
9ac622feb3c11b7ae96de8cb03fa515277dba517a07d65c5e8e6e5ff43832d94

SHA512
63a4ad9af0273f91d29aaa354f9e58eda7c91a545a4b52a7c58d3cb6cfdd4b12d9bca6d7911ac87c5e04a81000e785a6f53369ad7dd21e704cf7eed03735c485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log

Filesize
25KB

MD5
731404066eadc1e1a6e54a3deec441b1

SHA1
bf4251b372fac63e20abd81c9f2f623db8903e49

SHA256
5c31a4db590db3fd25b6a49d65603d6a250610a400e67f311a290659c6f7903a

SHA512
82d9d5b3dd0bd2fc81b122e0b78ca7aa8a0a7c8bb0c0d767c6333a4a1b2caeca71c9372122b446e8574283b08f9133d41c3067efc6744e25e291f0f681aa4947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
378B

MD5
b8240ae6c28735781ae8fdaceb300831

SHA1
5e6f7a631737fc11317548f973608033fe298a97

SHA256
881f0251b95964557f5abd8a4af4f640f6da66d80fdfc656b049a11d39fe2447

SHA512
5230ee65de06158e0327b09d94a29191696e00d2788b3fb5cc4289da73e6f5bbeadf7bdea10ed72c83fd638caffca43158f34e362e19e3c8b0f6ed2c35752152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
378B

MD5
5352df5a790fecb06d96521452085f79

SHA1
aaf3cc8b626d8beae7ac52152b6d047d83b985d8

SHA256
a0a1d8041e0b4efb53823a193a87384dcf1577498ea670ebf3fc60e30e2f13aa

SHA512
c3b12af222678a4067938819973307b77361d2bb770914ee6d9ebc113f92b8394cc65cf7e2e53049900feebec4a7d8f4e9e76f060215aad0f9adc9734cf962a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
378B

MD5
9701a96fed825211b2eafdbd559f5801

SHA1
b1c3a25eaf524a63f411cc8546747aec513d1538

SHA256
726cc807d0baeb2254a1bbb73c5d8b8d6603316834017046b432e8e7113d7249

SHA512
1c180a3956175544614e38c866f459aba50f945e7f6649e4c6a45b8b2959d7a80859965e039bff1084d4942263b9743785778a1e6102aed4eedfcda29ef27f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe5ad9a8.TMP

Filesize
337B

MD5
baff51384895d692f9c6b3a41f4d4acf

SHA1
8ed07bd0b7fe59459fe8524016a0a51255148eef

SHA256
f96e927d21ce27213f78e509a9c7af2353d60270dd6aaba5b5ae0ef59046af78

SHA512
14d5edc81f2589629a317e792411741a2e883745ef8f1e5928b1d1201c42e49388656d268eaf34f29751ddb3b87879bae157e99aae70374652155a8923386ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
52f54408f73dff022cd0f55af561aa06

SHA1
74a916221e9e3e20e2822ebd0a0c9566c048cbc7

SHA256
557ae00786147ceae4ed8a20bd62bf9bb294a79934fef591c81207f571b2c9d2

SHA512
2cc332790ca397e93e84bd6eff33723ec72321dda5eccf9343e2d2ba9e1906b868383034499eb53fcd7e335718faaf3cf3f1d2b97e340135dc5195701de810e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a8579a1c407cfdd698cd9556284915d

SHA1
2cf354ee66b9d67978392fd0f061f606783f346c

SHA256
863ea84ca88b4952e42c1ed48abe02d74b7e25d4da4cf7fd175869bde77890a5

SHA512
116351ce68e53d692aed081fcd68e9212c18ef0266b375c36670ff87fef13dc93aad620778411043245c2283a8045cbfb26b6e8a157fbd66145ccd00b7b5089d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac2ba7501460bec25a39329f549e5b2f

SHA1
fc9431869bd6a2ae6c73ec8bbe146db7f4e81fec

SHA256
7b46fce61de5c86290baab14c14e94f453458a6f1cbc6999647831ad49e59d43

SHA512
1f1cdd3e153f74cc4e2cde6834be610b457e3b7f55412d30943330ebf5e5da32c1039d7978a5c68b381dc2c13770d9284e975fb88cc7c0b62ed439c2a2841fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
087fdd6c681d86b6168f11b252c98a90

SHA1
eefebfed07424a5a0fa73b7d35dc1df3a6fcfcfd

SHA256
def8fe8f51b27ec3e18359187fc50b74b342480014b3e6bef433c2f63b4c49e0

SHA512
d0005491e8c51389435d9435f2c0a143ca0e66b1f5fb9f9929d02eec8c860055540230dc9402d2fcd0276a25448bdb325f7bc93875dd8ce8d25096e6e1c9e727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d415f5de38834f9526e124ded9ced40

SHA1
13971191de0eb71e85cd267b39330687a3dea5de

SHA256
1ef1fcd40b4a985a8e511e20f4f69081b26fb961b53a1662fb33c0463a5f9e7f

SHA512
97dfc3e546d457866528b401ad1758369156a4f9df7e47e17c344d834f066329b890250dd77ba35856091f13529116f107861d69d81293a5be2f861fded5bc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f708969ad75200ef409209180542434

SHA1
e3c95044cec078bcdbaa3d0f6787ad9a2269a5ec

SHA256
1bdc6831330ad9f1429c9de680f2ccb26089774d56f75f16dace07e3f9663048

SHA512
5f2684cb4ef777b1bdcfdef6dfdc97708ec5b266c5d2705aa314551fd1d717a753ae973cfbf457b2089f1be104fa1c9fb609dccc8d633ff607977cecf9226205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b1e9887d9680502348d883817dc1a55a

SHA1
f621e22dbf3ac1a206096073bdea0ad4e968b909

SHA256
9e54b7cde04fcc07f055b2d002e0253ee75239a3ac8500b1665265c4912a7d1d

SHA512
ac22b399263c7656f5c00ad5f749cc94ee16bda502b4b8517a309a0785c2f0c3e2ca5fdb1a01b11d019e95600a735c062553260a000cf2a31b304c62ced4b4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5af0ab.TMP

Filesize
48B

MD5
9153d6562169a340113c915d077dbacd

SHA1
90380d643443f3c807f97ca3dc284c632e1fc1ab

SHA256
9286f76094dc451b1e7a60bd3f51139a6942a020bc5a242f9a8fa3e50e92b3af

SHA512
40546e8927c02b6ddc6f30777a4b703cabfcb07ad0c4a741265e289f8f7e726ca7d707c753ecb59e2e84fbb6185fed3cc14666881bd9b4a77dd647d0f5cd186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f16d74b1040a28e275137e9ba30fa2f8

SHA1
63e271aab0932cd55dc3f4ae940f6bea3f4bee5a

SHA256
891353d8cf3f6cac7cf8d925d5db3626af8a4785f389506b09e04b1d43c04920

SHA512
086eddd0d807b8a4bd934002e2fbcfeccad2c270b8896e41e610373ac8def607bcddcdf3c5276b1fa980ac142f99810718f95d5d8062539a9b90e8dfac3a1586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3e24139b048a0bae47a1e7663f4cf5a1

SHA1
aa725ba4fcaa83b3d8cff9ff36464722231c1fea

SHA256
dc64726634220ce73d1e0df9b935822de8876aea679ea43b450a382e4df7023a

SHA512
4300c655bd1a604c86351757eeca2d381370c6a7d546ceb553bbcec9eee70bdcf33efdb4de12696b2c85006caa7fa2dca26439bef53dc7028bde9af80fc7f8e8

Download Submit
\??\pipe\LOCAL\crashpad_3772_WIZXGZHXGQQBWDKY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2028-34-0x00000000020A0000-0x00000000020D0000-memory.dmp

Filesize
192KB

Download
memory/2028-41-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2976-393-0x000000000D9A0000-0x000000000D9A8000-memory.dmp

Filesize
32KB

Download
memory/2976-392-0x00000000090D0000-0x0000000009674000-memory.dmp

Filesize
5.6MB

Download
memory/2976-402-0x0000000006780000-0x000000000686C000-memory.dmp

Filesize
944KB

Download
memory/2976-403-0x0000000006500000-0x000000000665C000-memory.dmp

Filesize
1.4MB

Download
memory/2976-390-0x0000000000B00000-0x0000000000FD4000-memory.dmp

Filesize
4.8MB

Download
memory/2976-391-0x00000000080D0000-0x0000000008834000-memory.dmp

Filesize
7.4MB

Download
memory/2976-547-0x000000000A200000-0x000000000A20A000-memory.dmp

Filesize
40KB

Download
memory/2976-401-0x00000000061D0000-0x00000000061F4000-memory.dmp

Filesize
144KB

Download
memory/2976-394-0x000000000E170000-0x000000000E1A8000-memory.dmp

Filesize
224KB

Download
memory/2976-400-0x0000000006460000-0x00000000064F2000-memory.dmp

Filesize
584KB

Download
memory/2976-399-0x00000000062F0000-0x000000000633A000-memory.dmp

Filesize
296KB

Download
memory/2976-395-0x000000000DC40000-0x000000000DC4E000-memory.dmp

Filesize
56KB

Download
memory/3424-88-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/3424-1-0x00000000021E0000-0x0000000002210000-memory.dmp

Filesize
192KB

Download
memory/3424-8-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/4756-470-0x0000000005750000-0x000000000579A000-memory.dmp

Filesize
296KB

Download
memory/4756-439-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/4756-469-0x00000000055C0000-0x00000000056AB000-memory.dmp

Filesize
940KB

Download
memory/5460-572-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download