bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
1049s
max time network
1054s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor discovery

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
134	zirabuo.bazar
185	zirabuo.bazar
152	zirabuo.bazar
175	zirabuo.bazar
182	zirabuo.bazar
129	zirabuo.bazar
159	zirabuo.bazar
184	zirabuo.bazar
148	zirabuo.bazar
155	zirabuo.bazar
180	zirabuo.bazar
187	zirabuo.bazar
101	zirabuo.bazar
128	zirabuo.bazar
138	zirabuo.bazar
154	zirabuo.bazar
177	zirabuo.bazar
179	zirabuo.bazar
102	zirabuo.bazar
135	zirabuo.bazar
139	zirabuo.bazar
150	zirabuo.bazar
164	zirabuo.bazar
172	zirabuo.bazar
108	zirabuo.bazar
167	zirabuo.bazar
183	zirabuo.bazar
116	zirabuo.bazar
122	zirabuo.bazar
123	zirabuo.bazar
142	zirabuo.bazar
186	zirabuo.bazar
104	zirabuo.bazar
160	zirabuo.bazar
165	zirabuo.bazar
170	zirabuo.bazar
171	zirabuo.bazar
174	zirabuo.bazar
137	zirabuo.bazar
103	zirabuo.bazar
146	zirabuo.bazar
147	zirabuo.bazar
151	zirabuo.bazar
169	zirabuo.bazar
117	zirabuo.bazar
143	zirabuo.bazar
158	zirabuo.bazar
161	zirabuo.bazar
168	zirabuo.bazar
113	zirabuo.bazar
118	zirabuo.bazar
149	zirabuo.bazar
153	zirabuo.bazar
157	zirabuo.bazar
178	zirabuo.bazar
109	zirabuo.bazar
145	zirabuo.bazar
163	zirabuo.bazar
166	zirabuo.bazar
181	zirabuo.bazar
127	zirabuo.bazar
136	zirabuo.bazar
140	zirabuo.bazar

Bazarbackdoor family
bazarbackdoor

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
144	zirabuo.bazar
145	zirabuo.bazar
135	zirabuo.bazar
139	zirabuo.bazar
141	zirabuo.bazar
149	zirabuo.bazar
150	zirabuo.bazar
173	zirabuo.bazar
174	zirabuo.bazar
182	zirabuo.bazar
128	zirabuo.bazar
172	zirabuo.bazar
103	zirabuo.bazar
117	zirabuo.bazar
175	zirabuo.bazar
129	zirabuo.bazar
154	zirabuo.bazar
160	zirabuo.bazar
113	zirabuo.bazar
122	zirabuo.bazar
157	zirabuo.bazar
167	zirabuo.bazar
108	zirabuo.bazar
147	zirabuo.bazar
153	zirabuo.bazar
116	zirabuo.bazar
155	zirabuo.bazar
179	zirabuo.bazar
101	zirabuo.bazar
151	zirabuo.bazar
163	zirabuo.bazar
166	zirabuo.bazar
176	zirabuo.bazar
185	zirabuo.bazar
159	zirabuo.bazar
165	zirabuo.bazar
181	zirabuo.bazar
187	zirabuo.bazar
109	zirabuo.bazar
178	zirabuo.bazar
180	zirabuo.bazar
146	zirabuo.bazar
164	zirabuo.bazar
168	zirabuo.bazar
102	zirabuo.bazar
104	zirabuo.bazar
134	zirabuo.bazar
137	zirabuo.bazar
142	zirabuo.bazar
156	zirabuo.bazar
158	zirabuo.bazar
162	zirabuo.bazar
177	zirabuo.bazar
112	zirabuo.bazar
127	zirabuo.bazar
138	zirabuo.bazar
152	zirabuo.bazar
169	zirabuo.bazar
170	zirabuo.bazar
171	zirabuo.bazar
183	zirabuo.bazar
184	zirabuo.bazar
186	zirabuo.bazar
118	zirabuo.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	172.98.193.42
Destination IP	5.132.191.104
Destination IP	69.164.196.21
Destination IP	51.254.25.115
Destination IP	5.45.97.127
Destination IP	50.3.82.215
Destination IP	51.254.25.115
Destination IP	185.117.154.144
Destination IP	159.89.249.249
Destination IP	5.132.191.104
Destination IP	144.76.133.38
Destination IP	82.141.39.32
Destination IP	104.238.186.189
Destination IP	111.67.20.8
Destination IP	46.28.207.199
Destination IP	188.165.200.156
Destination IP	89.35.39.64
Destination IP	51.255.211.146
Destination IP	81.2.241.148
Destination IP	94.177.171.127
Destination IP	169.239.202.202
Destination IP	5.45.97.127
Destination IP	158.69.160.164
Destination IP	45.71.112.70
Destination IP	188.165.200.156
Destination IP	185.164.136.225
Destination IP	172.98.193.42
Destination IP	104.37.195.178
Destination IP	142.4.204.111
Destination IP	51.254.25.115
Destination IP	89.18.27.167
Destination IP	51.254.25.115
Destination IP	77.73.68.161
Destination IP	46.101.70.183
Destination IP	159.89.249.249
Destination IP	198.251.90.143
Destination IP	185.117.154.144
Destination IP	5.135.183.146
Destination IP	45.63.124.65
Destination IP	31.171.251.118
Destination IP	111.67.20.8
Destination IP	217.12.210.54
Destination IP	87.98.175.85
Destination IP	158.69.160.164
Destination IP	172.98.193.42
Destination IP	94.177.171.127
Destination IP	111.67.20.8
Destination IP	51.254.25.115
Destination IP	185.164.136.225
Destination IP	139.99.96.146
Destination IP	89.35.39.64
Destination IP	128.52.130.209
Destination IP	82.196.9.45
Destination IP	51.254.25.115
Destination IP	146.185.176.36
Destination IP	185.117.154.144
Destination IP	185.208.208.141
Destination IP	51.255.48.78
Destination IP	111.67.20.8
Destination IP	167.99.153.82
Destination IP	128.52.130.209
Destination IP	185.121.177.177
Destination IP	94.177.171.127
Destination IP	192.99.85.244

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3840	msedge.exe
3840	msedge.exe
3864	msedge.exe
3864	msedge.exe
4560	identity_helper.exe
4560	identity_helper.exe
5596	msedge.exe
5596	msedge.exe
5596	msedge.exe
5596	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3864 msedge.exe
3864 msedge.exe
3864 msedge.exe
3864 msedge.exe
3864 msedge.exe
3864 msedge.exe
3864 msedge.exe
3864 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dl2.exedl2.exe

pid process

4420 dl2.exe
2412 dl2.exe

pid	process
4420	dl2.exe
2412	dl2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3864 wrote to memory of 380	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 380	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 4480	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 3840	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 3840	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe
PID 3864 wrote to memory of 2792	3864	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {A3E01F80-938E-4A69-BF39-8B90375A39E4}
1⤵
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- BazarBackdoor
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd21346f8,0x7ffdd2134708,0x7ffdd2134718
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10397727290202076814,15891216835473613842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0d6548b00dc9276c64ccc2ce0c36cf9

SHA1
0bd81212b93ea457ddcac28285dabeab7d2c00e6

SHA256
bf1f67f30e2114edc2ba6e4bca55df5c7aad3d934749c23cdc37f1fb2757e475

SHA512
447d7685b7861fd874789ad021b7848e72830ac8595a1ee40cff7c585a79dc277c6308490417847b56d58da89ef79c23843cf54174480df1243268785c60abeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
716e21be885c2d98dec6bc2996ced2c2

SHA1
8e2441778e5c838d4fd92462a48e4202d389191e

SHA256
f0e360801d71799fa18e543b277ecada44a1b6c89455ef0912b37117463d2ae4

SHA512
09ef88c3bf5f8b426353b726847524cbc55f3342ab94a0f809e4fdefcdd45af2422978c9dd76d75b84f5321a73813a42299e06d3ede2a59519849ef01ded3980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e6febbf3264d496530184c3aabc7c0b

SHA1
f7a41acded92dafe85ad75ed3b621d967a875034

SHA256
4646cb84ce09aa779457a7d0dbb1c69bcb9ffda59f689f78602f20275301a518

SHA512
dc9bbc9f72589ba3eb144935fc5971f97251052bebd3f3c5264f5e334173d15dd6abfcc30722a667fb09bb97d2ba8f57de1d8e332a30948b155de95fa56f529d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
62876a252b42ea399cfcdd2bd726d5d2

SHA1
1f7267ba18680d75449c336d1262159db04337f5

SHA256
26691ff9a09ff4fc29d8b9be1d57eda932a60ba191c06b96b4b620035730397a

SHA512
8d577be2833d2ebee799e03578aaf3104a24b31d2bab0e75211f3d6690182adda5981f9a4f3b6844875e87c831b7f794ec3dc8830e41edf8f091248104dca714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
468bf3a38450d97eb3a20d605e615b5a

SHA1
712e2980dc48adecca79a22e27a8f459dccb52aa

SHA256
6fe5894f60a98179696b24bab6c8d25676dd4b087607c6c7865bcb2524b4fdb9

SHA512
bf624c7a05b6790f075d94ad82dd04c49132343c517c4f91a981f0eb40864825cedbeb1e59aa75f3ae96fbe3ff55fa40564394f22decafec6b062664355faaeb

Download Submit
\??\pipe\LOCAL\crashpad_3864_XTUGGNKFERTJJCLU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2412-10-0x0000000002200000-0x0000000002230000-memory.dmp

Filesize
192KB

Download
memory/2412-17-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/4420-3-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/4420-18-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/4420-1-0x00000000020F0000-0x0000000002120000-memory.dmp

Filesize
192KB

Download