Resubmissions
01/11/2024, 12:33
241101-pradyaypdv 1027/10/2024, 23:08
241027-24hmasskhj 1020/10/2024, 16:28
241020-tyzdvsxgqb 320/10/2024, 16:26
241020-tx2gtszekk 302/10/2024, 11:53
241002-n2j6fsycqb 313/09/2024, 04:59
240913-fmwxpswcpb 311/09/2024, 15:54
240911-tcmg6sygmm 311/09/2024, 15:53
240911-tbsmsszbnh 1025/08/2024, 22:53
240825-2t6als1gll 10Analysis
-
max time kernel
329s -
max time network
331s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 22:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dl2.exe
Resource
win7-20240705-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
dl2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Score
10/10
Malware Config
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
description flow ioc Process 184 zirabuo.bazar Process not Found 113 zirabuo.bazar Process not Found 135 zirabuo.bazar Process not Found 147 zirabuo.bazar Process not Found 165 zirabuo.bazar Process not Found 166 zirabuo.bazar Process not Found 178 zirabuo.bazar Process not Found 180 zirabuo.bazar Process not Found 126 zirabuo.bazar Process not Found 163 zirabuo.bazar Process not Found 176 zirabuo.bazar Process not Found 182 zirabuo.bazar Process not Found 177 zirabuo.bazar Process not Found Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe 103 zirabuo.bazar Process not Found 124 zirabuo.bazar Process not Found 144 zirabuo.bazar Process not Found 145 zirabuo.bazar Process not Found 146 zirabuo.bazar Process not Found 160 zirabuo.bazar Process not Found 183 zirabuo.bazar Process not Found 185 zirabuo.bazar Process not Found 119 zirabuo.bazar Process not Found 154 zirabuo.bazar Process not Found 164 zirabuo.bazar Process not Found 186 zirabuo.bazar Process not Found 137 zirabuo.bazar Process not Found 143 zirabuo.bazar Process not Found 162 zirabuo.bazar Process not Found 172 zirabuo.bazar Process not Found 138 zirabuo.bazar Process not Found 152 zirabuo.bazar Process not Found 156 zirabuo.bazar Process not Found 109 zirabuo.bazar Process not Found 130 zirabuo.bazar Process not Found 148 zirabuo.bazar Process not Found 161 zirabuo.bazar Process not Found 169 zirabuo.bazar Process not Found 175 zirabuo.bazar Process not Found 181 zirabuo.bazar Process not Found 123 zirabuo.bazar Process not Found 132 zirabuo.bazar Process not Found 117 zirabuo.bazar Process not Found 118 zirabuo.bazar Process not Found 133 zirabuo.bazar Process not Found 139 zirabuo.bazar Process not Found 158 zirabuo.bazar Process not Found 174 zirabuo.bazar Process not Found 168 zirabuo.bazar Process not Found 134 zirabuo.bazar Process not Found 136 zirabuo.bazar Process not Found 149 zirabuo.bazar Process not Found 151 zirabuo.bazar Process not Found 153 zirabuo.bazar Process not Found 155 zirabuo.bazar Process not Found 167 zirabuo.bazar Process not Found 159 zirabuo.bazar Process not Found 141 zirabuo.bazar Process not Found 104 zirabuo.bazar Process not Found 140 zirabuo.bazar Process not Found 150 zirabuo.bazar Process not Found 157 zirabuo.bazar Process not Found 171 zirabuo.bazar Process not Found 105 zirabuo.bazar Process not Found -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 105 zirabuo.bazar 149 zirabuo.bazar 158 zirabuo.bazar 164 zirabuo.bazar 171 zirabuo.bazar 143 zirabuo.bazar 159 zirabuo.bazar 163 zirabuo.bazar 170 zirabuo.bazar 184 zirabuo.bazar 146 zirabuo.bazar 154 zirabuo.bazar 185 zirabuo.bazar 119 zirabuo.bazar 133 zirabuo.bazar 151 zirabuo.bazar 162 zirabuo.bazar 103 zirabuo.bazar 110 zirabuo.bazar 136 zirabuo.bazar 148 zirabuo.bazar 118 zirabuo.bazar 160 zirabuo.bazar 113 zirabuo.bazar 132 zirabuo.bazar 161 zirabuo.bazar 166 zirabuo.bazar 174 zirabuo.bazar 180 zirabuo.bazar 126 zirabuo.bazar 137 zirabuo.bazar 155 zirabuo.bazar 169 zirabuo.bazar 179 zirabuo.bazar 142 zirabuo.bazar 145 zirabuo.bazar 187 zirabuo.bazar 114 zirabuo.bazar 147 zirabuo.bazar 152 zirabuo.bazar 153 zirabuo.bazar 173 zirabuo.bazar 124 zirabuo.bazar 134 zirabuo.bazar 141 zirabuo.bazar 144 zirabuo.bazar 150 zirabuo.bazar 138 zirabuo.bazar 140 zirabuo.bazar 175 zirabuo.bazar 178 zirabuo.bazar 135 zirabuo.bazar 156 zirabuo.bazar 177 zirabuo.bazar 183 zirabuo.bazar 130 zirabuo.bazar 139 zirabuo.bazar 165 zirabuo.bazar 168 zirabuo.bazar 186 zirabuo.bazar 104 zirabuo.bazar 123 zirabuo.bazar 157 zirabuo.bazar 172 zirabuo.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.63.124.65 Destination IP 63.231.92.27 Destination IP 87.98.175.85 Destination IP 51.255.48.78 Destination IP 147.135.185.78 Destination IP 69.164.196.21 Destination IP 146.185.176.36 Destination IP 188.165.200.156 Destination IP 104.238.186.189 Destination IP 5.132.191.104 Destination IP 51.254.25.115 Destination IP 193.183.98.66 Destination IP 89.18.27.167 Destination IP 63.231.92.27 Destination IP 81.2.241.148 Destination IP 163.172.185.51 Destination IP 172.104.136.243 Destination IP 142.4.204.111 Destination IP 172.98.193.42 Destination IP 66.70.211.246 Destination IP 172.98.193.42 Destination IP 185.117.154.144 Destination IP 162.248.241.94 Destination IP 169.239.202.202 Destination IP 45.71.112.70 Destination IP 144.76.133.38 Destination IP 192.52.166.110 Destination IP 111.67.20.8 Destination IP 162.248.241.94 Destination IP 89.18.27.167 Destination IP 82.141.39.32 Destination IP 45.71.112.70 Destination IP 91.217.137.37 Destination IP 139.99.96.146 Destination IP 82.141.39.32 Destination IP 212.24.98.54 Destination IP 198.251.90.143 Destination IP 172.98.193.42 Destination IP 45.32.160.206 Destination IP 77.73.68.161 Destination IP 185.164.136.225 Destination IP 158.69.160.164 Destination IP 5.45.97.127 Destination IP 82.196.9.45 Destination IP 193.183.98.66 Destination IP 51.255.48.78 Destination IP 128.52.130.209 Destination IP 185.208.208.141 Destination IP 51.254.25.115 Destination IP 142.4.204.111 Destination IP 130.255.78.223 Destination IP 91.217.137.37 Destination IP 176.126.70.119 Destination IP 50.3.82.215 Destination IP 45.71.112.70 Destination IP 5.132.191.104 Destination IP 92.222.97.145 Destination IP 77.73.68.161 Destination IP 172.104.136.243 Destination IP 138.197.25.214 Destination IP 92.222.97.145 Destination IP 163.53.248.170 Destination IP 107.172.42.186 Destination IP 82.141.39.32 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4620 msedge.exe 4620 msedge.exe 3772 msedge.exe 3772 msedge.exe 3000 identity_helper.exe 3000 identity_helper.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 808 dl2.exe 1700 dl2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 2376 3772 msedge.exe 101 PID 3772 wrote to memory of 2376 3772 msedge.exe 101 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 5044 3772 msedge.exe 102 PID 3772 wrote to memory of 4620 3772 msedge.exe 103 PID 3772 wrote to memory of 4620 3772 msedge.exe 103 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104 PID 3772 wrote to memory of 4396 3772 msedge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:808
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {B6D47D75-8ACB-40BC-B4B0-7A7C4B6965C4}1⤵
- Suspicious use of SetWindowsHookEx
PID:1700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- BazarBackdoor
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa20ca46f8,0x7ffa20ca4708,0x7ffa20ca47182⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:12⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:12⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,818704344727047198,15736220499820968243,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1076 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:956
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
5KB
MD5dc652d6e1474d712f06bea02eeac9e76
SHA154d21d37b5f82ef492fde3f2678df62b4ddd773d
SHA2567354248d1a78313bd746f97ccdbf117db56befda6adb2a98623f37016ee6b6a3
SHA5129e8eeebd53759fe7125288338e192308d5a07a380d212ad140f41fffc4027052d89f690633aee6e1ba67539a8d973887aa2125247c8b20114ff9857b5c06a827
-
Filesize
6KB
MD53c09aec9f511a7ac717a884aa6803042
SHA148175e52a84975d2443997de99daf3ae0bb3ca27
SHA256cb05f3abe6a6fb06b3a4734d5ac15b6ed5a1d4d566c2cbe1382abba95402ffe5
SHA512d7ecb50b6fcf3df1123cd36b98c60d78e857c14a65921184c8b3989a22e3f77963f0b54e0b3e4a7a0f56fd2f036860962e3081e5f13c530e76da27ff4c524f64
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55ca0192218722a012291004b0138302f
SHA13971c6b44a2939d7948bfed0475ab1cc0e7b0433
SHA2568184c64cdd134e0a080e89d57a2e368903c7f4b75e01a51965f49f5fdeed7167
SHA512fb7107ffb62f131a88eca3238cc6a3b88efe0d8710b999c9260ecab3320b282097f1e5c06464d70e883854eac3ecfa0031c478d705cda54ef6e6a6b681149374