hxxps://www[.]wixsite[.]com/_api/invoice/2e2a5a14-e43c-467e-8e24-878e7e41cc58[:]a803af1c-7dd6-4a14-977a-062311ec44d8/view?token=dee0c81d-a2cf-4699-94df-dc31c781c707

Resubmissions

27/09/2024, 07:23

240927-h73bbs1fjp 3

25/09/2024, 06:40

25/09/2024, 06:28

25/09/2024, 06:13

25/09/2024, 06:10

25/09/2024, 06:06

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.wixsite.com/_api/invoice/2e2a5a14-e43c-467e-8e24-878e7e41cc58:a803af1c-7dd6-4a14-977a-062311ec44d8/view?token=dee0c81d-a2cf-4699-94df-dc31c781c707

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{8FB58A7B-BE8A-4184-B606-C7710E734135}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1976	msedge.exe
1976	msedge.exe
3420	msedge.exe
3420	msedge.exe
3004	identity_helper.exe
3004	identity_helper.exe
64	msedge.exe
64	msedge.exe
1212	msedge.exe
1212	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	708	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3904	3420	msedge.exe	82
PID 3420 wrote to memory of 3904	3420	msedge.exe	82
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1868	3420	msedge.exe	83
PID 3420 wrote to memory of 1976	3420	msedge.exe	84
PID 3420 wrote to memory of 1976	3420	msedge.exe	84
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85
PID 3420 wrote to memory of 1512	3420	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.wixsite.com/_api/invoice/2e2a5a14-e43c-467e-8e24-878e7e41cc58:a803af1c-7dd6-4a14-977a-062311ec44d8/view?token=dee0c81d-a2cf-4699-94df-dc31c781c707
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdffd46f8,0x7ffbdffd4708,0x7ffbdffd4718
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=3452 /prefetch:6
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7244 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7445771922129111040,1243423355840173621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
23KB

MD5
2f24e0f5d2c2997a89fb4a8d943c141f

SHA1
99515bde1a5bf72105116ac902ccf3db1dd3df29

SHA256
60c9ecaf27ba56d7c35aa78c329aa7dfa586e6c71ed3cdd0019ba7e767b18aaf

SHA512
0f4c5508dfdcf0ef63141df8d29c76e219d2ec433d59d37d7f17e110b455f24235fd0bc4f539ad5adc368285536d73f57dc4e21e3201dfd5753e76789208989d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
1c5b3361338e26e864775f49267d7d28

SHA1
e2056859457152419bb4ceb2bf367c6650216dfa

SHA256
aade42a24b23811db317a2aa6d523614b108899941e49d5800d83ecb5c9cba53

SHA512
9c96e71bd20e9cc8e167f2bb7183b9ba914e47b87825b0e3e5c15ff6706334b4dee6ed555711efdc65fc6eb475b45e05a8a85d14a8a98067eea33c79a5126b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
23a40587377b82a71a4c1c02022c3133

SHA1
aaa839b8539dca14b66c07118087bd22e4a0f2eb

SHA256
75d56c664147f271e24e9e78ef9268a616b612421ec125e0511e63caa9fcd1f7

SHA512
29448db981530ff9f206b12fa6693bc2bc5fbc454cc1b87266e8becd5c2bd5288d1bd4c99fc84bd66d2cc6e5ee3baa915641d63af4609414314981735a67db65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5aa2faa54eb402e2e267cbb6f72fc976

SHA1
545f7e8481497cc71838502b0e2011a096808f67

SHA256
5cea956089c3f5d51dd076cf06b57917eb8bd18e1cb09c9ea02d0686365cba79

SHA512
3cd83de20d67827eea378c28f66edfab2516eb10deb7cedaea9eedaa2b508bad6e2fb1c4d38710057acc342f39b64477c16867ceae28cb44cb56b8131b93aca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
932B

MD5
f89906b6047aa8418745c443236df024

SHA1
410695b1aa816b48342dbbfde50b14b7befc5f2e

SHA256
5471bbb66335d9c05d1082b6b002f996e0a73c8b8ca426fc1be4a51c56486885

SHA512
91d09f1bdf0f5056fc0fa493de82d315bbb2178508a863d0d7bf8805db203de159c4c8dc4b603610496e6641c0c3c844e82e14f53d8ea6d109f618898c66e875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
cef712121e1ea19a1c9b879b7012cea3

SHA1
bfc7fab2a8694f6ef5d75efd286d5d3a40d8d906

SHA256
117ef08ded51cf92eb969bbf4804221c124862f4160de05ebbfddee95fa70632

SHA512
67f1af7d5960c2ac6e7bf89d1807a600b8d21e239a4595623911bda861ba7a575e2c2123d7835d1a80a9c8fdb235661e515d1721c2216245f0c403cba78c2962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
981fb885e4209be4e5a7423e96b0f103

SHA1
032778ed1644fef5d15e9dcc9b3951dcffe01b2c

SHA256
6655651fd01d40fa23b5c8f4ef4a1adac9e8b5e6f622d25750a7142bafef3b89

SHA512
96f1a0c2bd3bf108f57c88982ab7c532926ce78021644b710dc514ad812fe8d1092c1567dcc448a4b722357249ff001a4963aef61b013609cd53cd69f7a76b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2bc33ac8b4ffbb205c04150a60e6cd44

SHA1
693de73a50de35d7d8f3c7dfadd5301f26458103

SHA256
3ba0b9eb6ccd8890eb5bc5f0b2b810af9fce26357a4bcdfe90e1cce6e5cda09b

SHA512
c3f22c0bc09862eedadfac1caab06d6bd0e86bd7d9fd46393f2c04e1ff784f82f214c882574b9b1c17f4a9db5b78c70d70912020492260616e67a070a1a88f8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2028d51eb6a2d64249ebcfd2529863f1

SHA1
f89b24f8900a2692248eec5dbcf836bbca60558c

SHA256
b9ad5bb9be9b017f19ba9731bd9fcc2ba5ebea3c56383e7e90cd3ec0eb2555ea

SHA512
8748fc17eff6764821a7cb6c9b09682ee4266d638ac602a91108d513a573cf3e40c209c3b9a60c44c5c1ebe758dbc84c7c31ccecd9c114088d12fa1afead9ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
87a1637158a9f8268ed7c8bf75f34f3a

SHA1
9737998a6480047d7d06ff121d2d5331ffaea10b

SHA256
d5c0f332a36bd7d0167c7efa4aa1b60945a7491b5131472fe0cfe90ffa275ba9

SHA512
d8a9a47e6e803a8140d3f7bb00d8cc9028ce05ab003207ae5df54481fbe743e0a416aeec05df3df75544fa2718ffb36829f2e64b19b5b70664d3c872f203d860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f58c46e9373c2e7045b664b7da2d9b2a

SHA1
1ba919f5a11821794e7b83a6425181445db3a9d6

SHA256
7f38b2cb25e6edbb14b63b6014074ae6639f804dbdeebc9c8b9db65bbd583826

SHA512
0b10b7fcdc9103e85131519179000b1ad43cda8be9bcfb9a37bc4b8d70c17f9001dc6eb71b79191837c81e82184581f24f1b4215614ecacd6f9ab59cae994811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d14ffad9f51c7a0357420f559bfbfcd

SHA1
efb2ae67995e93f78d93a9234c00a0d332fd2d52

SHA256
c915d6b6d303bcf6dd576741caad82cbefcaedc41c563cc6d28e61ef7b1dc9d6

SHA512
b6f01b534819e76373a314bc34708d52b046f9e9b07c3fd0907fc3ee611ca45cc66db9a1dba44db5e1d3acf40807c47f4520c8e7f8ffd14d2188350ecf017167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f31b2a3099acb9b36c38caab0df2f3b

SHA1
e7b7f6d36d2b9dea2e22e7847c9592906cb179e8

SHA256
589d6c1b5fefd9e5171c25116883be084946f9f28c11a01366af2ef730c92e18

SHA512
6e673c4e275bba011494882cbdc56977ec2aed7bc64058439a6f94f2f7d24fa7895c243a3bdbe19f079fed7db41f3de9fe640793bd8cd85213078f7b89a91652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c541b627d02f55f9baf8ee907327ecdd

SHA1
bc460f542ac85f4ff70a838f697a6d29940bce5f

SHA256
d80a2138738aa9507ecc841c22aeedaf60706ce267164b10d1f44dea3bee707f

SHA512
fdd5675089fb0a53196458faf5d3f57d71ef6d37a3ac44fb145c972ec1be5213f549b407fee9c97bdec2926e989e53e61c49659d6013271c2b433402df310060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77ec441d2638dd247c99d3b2c9f45a90

SHA1
2aac68d2695bbceba2798bd94b67aa37d4d4dc63

SHA256
861a55c2265143d13654fe132cc9b229e15652394f0540d3c73eb7195547d676

SHA512
daf451189d3e1de8429f3d25427a4fa4339ebc423a0c88f341a551974275b7d69c48af5d90ae71609d7a2d4fe403839e373222f3f55c69f71c233a8a8db9d43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
976622ba188cc18fc434633527722bf9

SHA1
afb523fa21a8cfdfc073d797889e59980069f8b8

SHA256
a82f9feaf08d4d8e1dc3c5e87eeaa28ac507bd6130f35a29cbc283d263ce6223

SHA512
9b8ce9757da4d6465a0d1c6851028705bfc1014846cecf76d90210438ab72bfaaaf9a589b5021518df2dfbd2c314933154dea0795c1b7fc0f668264faa9257b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
b7d0b8e2b0d7b28553fb2c5facabc1e4

SHA1
2b3961f5026be1b01f4c392f22301cb3a7e14f65

SHA256
d0eb3974efdaa04704925480103ae29209a63008e421eec1eb6f8a56d64e37ed

SHA512
ae47b58c8e6fb3205f548ad5ac7bec8484db302bf8af9df7d488dab6c665a82ba50b41bb4b0425690c57d472fdaf9e5d622eb817abee7cfa6fa752f54ebf2e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
37f1b87b25bbb9e0167d599935a1e157

SHA1
6781001884fca182595adde576f2d2cd5c658cbb

SHA256
b4c1cf9c8523bd52047f8efce2273309bad069076a288229926dd9d59da6d514

SHA512
c2180a197d2a061a899d19831f3223705ac9bc9067acc03b003074972a7e632ec55011087fbc266dce3f01a49f59045944fd352d19d116b55655e5c821c8a7ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fecd.TMP

Filesize
203B

MD5
6af57355f54c944e9d6d2814f0f46abc

SHA1
4c2653de9507dfe9c680978f71391c4b1aca6817

SHA256
57444be54248cf88323b96eaf12c796b75b60b394459c75a92c099eb13ce2026

SHA512
5e5b49599c28702de0480b96d34b3dc83e1561cd83b9c19fd5455a0ffbe1ba67eae2f3add7e3cc221a6f91ea426f9e9db659210ea860511e44b1816bb10e9adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88a0b18a28025c392283a1635e901d72

SHA1
d59082b6f04d56835986d79c38fc0275b1bc2b7d

SHA256
97a02b77f16848b685a8b8b1ddca76ba85f3a800214c0dccd4c788c5c01b71ef

SHA512
efb22b70134b146699abde04b0bca47c697270694e3c0c6a1589ac9ac464e1df9a24abe05996276141626f051e982629a18c0d7ba68d430143fa5ca480b97315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec32ff4487907caf7d4a5be81a8504a3

SHA1
a4706e8f5e9480787f7bc17b23de461ca7274c21

SHA256
803c8dac24e553d620640150f038332a10100633e73c8bb2616c62238c3ef78f

SHA512
763231f12bdc38ebe32f6df1f33859bc476e79cff1c44aef000294aefd587fd48bcbdbe392e2e5b08b5380b440a17408c932f3f68eeb3ea78d99b2bf9b27f380

Download Submit