bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
329s
max time network
331s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor discovery

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

msedge.exe

flow	ioc
184	zirabuo.bazar
113	zirabuo.bazar
135	zirabuo.bazar
147	zirabuo.bazar
165	zirabuo.bazar
166	zirabuo.bazar
178	zirabuo.bazar
180	zirabuo.bazar
126	zirabuo.bazar
163	zirabuo.bazar
176	zirabuo.bazar
182	zirabuo.bazar
177	zirabuo.bazar
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
103	zirabuo.bazar
124	zirabuo.bazar
144	zirabuo.bazar
145	zirabuo.bazar
146	zirabuo.bazar
160	zirabuo.bazar
183	zirabuo.bazar
185	zirabuo.bazar
119	zirabuo.bazar
154	zirabuo.bazar
164	zirabuo.bazar
186	zirabuo.bazar
137	zirabuo.bazar
143	zirabuo.bazar
162	zirabuo.bazar
172	zirabuo.bazar
138	zirabuo.bazar
152	zirabuo.bazar
156	zirabuo.bazar
109	zirabuo.bazar
130	zirabuo.bazar
148	zirabuo.bazar
161	zirabuo.bazar
169	zirabuo.bazar
175	zirabuo.bazar
181	zirabuo.bazar
123	zirabuo.bazar
132	zirabuo.bazar
117	zirabuo.bazar
118	zirabuo.bazar
133	zirabuo.bazar
139	zirabuo.bazar
158	zirabuo.bazar
174	zirabuo.bazar
168	zirabuo.bazar
134	zirabuo.bazar
136	zirabuo.bazar
149	zirabuo.bazar
151	zirabuo.bazar
153	zirabuo.bazar
155	zirabuo.bazar
167	zirabuo.bazar
159	zirabuo.bazar
141	zirabuo.bazar
104	zirabuo.bazar
140	zirabuo.bazar
150	zirabuo.bazar
157	zirabuo.bazar
171	zirabuo.bazar
105	zirabuo.bazar

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
105	zirabuo.bazar
149	zirabuo.bazar
158	zirabuo.bazar
164	zirabuo.bazar
171	zirabuo.bazar
143	zirabuo.bazar
159	zirabuo.bazar
163	zirabuo.bazar
170	zirabuo.bazar
184	zirabuo.bazar
146	zirabuo.bazar
154	zirabuo.bazar
185	zirabuo.bazar
119	zirabuo.bazar
133	zirabuo.bazar
151	zirabuo.bazar
162	zirabuo.bazar
103	zirabuo.bazar
110	zirabuo.bazar
136	zirabuo.bazar
148	zirabuo.bazar
118	zirabuo.bazar
160	zirabuo.bazar
113	zirabuo.bazar
132	zirabuo.bazar
161	zirabuo.bazar
166	zirabuo.bazar
174	zirabuo.bazar
180	zirabuo.bazar
126	zirabuo.bazar
137	zirabuo.bazar
155	zirabuo.bazar
169	zirabuo.bazar
179	zirabuo.bazar
142	zirabuo.bazar
145	zirabuo.bazar
187	zirabuo.bazar
114	zirabuo.bazar
147	zirabuo.bazar
152	zirabuo.bazar
153	zirabuo.bazar
173	zirabuo.bazar
124	zirabuo.bazar
134	zirabuo.bazar
141	zirabuo.bazar
144	zirabuo.bazar
150	zirabuo.bazar
138	zirabuo.bazar
140	zirabuo.bazar
175	zirabuo.bazar
178	zirabuo.bazar
135	zirabuo.bazar
156	zirabuo.bazar
177	zirabuo.bazar
183	zirabuo.bazar
130	zirabuo.bazar
139	zirabuo.bazar
165	zirabuo.bazar
168	zirabuo.bazar
186	zirabuo.bazar
104	zirabuo.bazar
123	zirabuo.bazar
157	zirabuo.bazar
172	zirabuo.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	45.63.124.65
Destination IP	63.231.92.27
Destination IP	87.98.175.85
Destination IP	51.255.48.78
Destination IP	147.135.185.78
Destination IP	69.164.196.21
Destination IP	146.185.176.36
Destination IP	188.165.200.156
Destination IP	104.238.186.189
Destination IP	5.132.191.104
Destination IP	51.254.25.115
Destination IP	193.183.98.66
Destination IP	89.18.27.167
Destination IP	63.231.92.27
Destination IP	81.2.241.148
Destination IP	163.172.185.51
Destination IP	172.104.136.243
Destination IP	142.4.204.111
Destination IP	172.98.193.42
Destination IP	66.70.211.246
Destination IP	172.98.193.42
Destination IP	185.117.154.144
Destination IP	162.248.241.94
Destination IP	169.239.202.202
Destination IP	45.71.112.70
Destination IP	144.76.133.38
Destination IP	192.52.166.110
Destination IP	111.67.20.8
Destination IP	162.248.241.94
Destination IP	89.18.27.167
Destination IP	82.141.39.32
Destination IP	45.71.112.70
Destination IP	91.217.137.37
Destination IP	139.99.96.146
Destination IP	82.141.39.32
Destination IP	212.24.98.54
Destination IP	198.251.90.143
Destination IP	172.98.193.42
Destination IP	45.32.160.206
Destination IP	77.73.68.161
Destination IP	185.164.136.225
Destination IP	158.69.160.164
Destination IP	5.45.97.127
Destination IP	82.196.9.45
Destination IP	193.183.98.66
Destination IP	51.255.48.78
Destination IP	128.52.130.209
Destination IP	185.208.208.141
Destination IP	51.254.25.115
Destination IP	142.4.204.111
Destination IP	130.255.78.223
Destination IP	91.217.137.37
Destination IP	176.126.70.119
Destination IP	50.3.82.215
Destination IP	45.71.112.70
Destination IP	5.132.191.104
Destination IP	92.222.97.145
Destination IP	77.73.68.161
Destination IP	172.104.136.243
Destination IP	138.197.25.214
Destination IP	92.222.97.145
Destination IP	163.53.248.170
Destination IP	107.172.42.186
Destination IP	82.141.39.32

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4620	msedge.exe
4620	msedge.exe
3772	msedge.exe
3772	msedge.exe
3000	identity_helper.exe
3000	identity_helper.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe
3772 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dl2.exedl2.exe

pid process

808 dl2.exe
1700 dl2.exe

pid	process
808	dl2.exe
1700	dl2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3772 wrote to memory of 2376	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 2376	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 5044	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4620	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4620	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 4396	3772	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:808

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {B6D47D75-8ACB-40BC-B4B0-7A7C4B6965C4}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- BazarBackdoor
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa20ca46f8,0x7ffa20ca4708,0x7ffa20ca4718
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1076 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dc652d6e1474d712f06bea02eeac9e76

SHA1
54d21d37b5f82ef492fde3f2678df62b4ddd773d

SHA256
7354248d1a78313bd746f97ccdbf117db56befda6adb2a98623f37016ee6b6a3

SHA512
9e8eeebd53759fe7125288338e192308d5a07a380d212ad140f41fffc4027052d89f690633aee6e1ba67539a8d973887aa2125247c8b20114ff9857b5c06a827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c09aec9f511a7ac717a884aa6803042

SHA1
48175e52a84975d2443997de99daf3ae0bb3ca27

SHA256
cb05f3abe6a6fb06b3a4734d5ac15b6ed5a1d4d566c2cbe1382abba95402ffe5

SHA512
d7ecb50b6fcf3df1123cd36b98c60d78e857c14a65921184c8b3989a22e3f77963f0b54e0b3e4a7a0f56fd2f036860962e3081e5f13c530e76da27ff4c524f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ca0192218722a012291004b0138302f

SHA1
3971c6b44a2939d7948bfed0475ab1cc0e7b0433

SHA256
8184c64cdd134e0a080e89d57a2e368903c7f4b75e01a51965f49f5fdeed7167

SHA512
fb7107ffb62f131a88eca3238cc6a3b88efe0d8710b999c9260ecab3320b282097f1e5c06464d70e883854eac3ecfa0031c478d705cda54ef6e6a6b681149374

Download Submit
\??\pipe\LOCAL\crashpad_3772_HNBWTDJFDNGOWKSM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/808-1-0x0000000002210000-0x0000000002240000-memory.dmp

Filesize
192KB

Download
memory/808-8-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/808-18-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1700-17-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1700-10-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download