hxxps://sg[.]bill[.]com/ls/click?upn=u001[.]se4SimOEkqgQ32qtQ-2B6PfJKZbENe-2BfvXWZXi-2FT-2Fb7E-2BaqFz6t3fes14BRUnrXDTfD5jENGK9GNsIBc-2BtUzK1T65szsTIwpGiR9NvkajSnsUBOY8K61apBcIbCvW3dfiZGe5SGIs506sNIdCpsISBZfhKP4kF-2FLCCQfDafK8QYTQUACMSdQDvEqZUM2Ngwiv29BjNzVxzYu1ZEGON0s1Q3f3WVVh36kJg6gFH4OaDbCRbfP-2FCM5wXcEsi1hv33zYEdA4PCkkNSLyi1H2h6BYTVao0GBW1PVk1HhHM04i-2BNDI-3DwuI__Fgn3foq1WCGgDYegsh7LWDuAYR8ATnUuXze-2FXDaKqVtOLeerznMqdY-2Bwy0Xf1dBcuJHZz-2F7-2FsuHwgINdcfPg2DtfvB829MTZvIggxs8anxO7SNru8vaSWpbUfcetbG6ow7MEQlLscMBpp0-2FarebRjB-2Bws87MfYNI-2F68OauZG4BoEL77cE8lcNGyYqxvTzytQwf7Yyf9WzpcwKZj4OoB4MZmROpzUNun6kzTEa09Bzmg5xXt0PKcCBqbmRbAHIluEqwMMplE5cNv2hby-2FHJ9WSpFvmQjkD3ydRzGUvanJqdzAXnf-2F-2Fo3xcEMamsBFJxzftptoxxq6GHdeFAn-2FDYtPhNo-2FfxV0jPjwd69OFsTG1N-2FM43-2FwKkb-2FO7STILW-2B2uERNLFOJsfHQ0QV82UxS7JzTf-2B43aFujMig6YhloJn-2BbvrA2OsqUVtrcp8qJ45ALidAlo5EPS0HNL6GGcjeknN1HARFHq8TBVuj9B-2FJCI-2FNX2-2B1WJRsTIkZyfj-2Fozi7x9jY1Z-2BlLBavvnyIDH1tObylYg-3D-3D

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sg.bill.com/ls/click?upn=u001.se4SimOEkqgQ32qtQ-2B6PfJKZbENe-2BfvXWZXi-2FT-2Fb7E-2BaqFz6t3fes14BRUnrXDTfD5jENGK9GNsIBc-2BtUzK1T65szsTIwpGiR9NvkajSnsUBOY8K61apBcIbCvW3dfiZGe5SGIs506sNIdCpsISBZfhKP4kF-2FLCCQfDafK8QYTQUACMSdQDvEqZUM2Ngwiv29BjNzVxzYu1ZEGON0s1Q3f3WVVh36kJg6gFH4OaDbCRbfP-2FCM5wXcEsi1hv33zYEdA4PCkkNSLyi1H2h6BYTVao0GBW1PVk1HhHM04i-2BNDI-3DwuI__Fgn3foq1WCGgDYegsh7LWDuAYR8ATnUuXze-2FXDaKqVtOLeerznMqdY-2Bwy0Xf1dBcuJHZz-2F7-2FsuHwgINdcfPg2DtfvB829MTZvIggxs8anxO7SNru8vaSWpbUfcetbG6ow7MEQlLscMBpp0-2FarebRjB-2Bws87MfYNI-2F68OauZG4BoEL77cE8lcNGyYqxvTzytQwf7Yyf9WzpcwKZj4OoB4MZmROpzUNun6kzTEa09Bzmg5xXt0PKcCBqbmRbAHIluEqwMMplE5cNv2hby-2FHJ9WSpFvmQjkD3ydRzGUvanJqdzAXnf-2F-2Fo3xcEMamsBFJxzftptoxxq6GHdeFAn-2FDYtPhNo-2FfxV0jPjwd69OFsTG1N-2FM43-2FwKkb-2FO7STILW-2B2uERNLFOJsfHQ0QV82UxS7JzTf-2B43aFujMig6YhloJn-2BbvrA2OsqUVtrcp8qJ45ALidAlo5EPS0HNL6GGcjeknN1HARFHq8TBVuj9B-2FJCI-2FNX2-2B1WJRsTIkZyfj-2Fozi7x9jY1Z-2BlLBavvnyIDH1tObylYg-3D-3D

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{EE6A570C-7016-49FE-845A-45572FC0522A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2784	msedge.exe
2784	msedge.exe
3320	msedge.exe
3320	msedge.exe
5584	msedge.exe
5584	msedge.exe
3736	identity_helper.exe
3736	identity_helper.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 3568	3320	msedge.exe	83
PID 3320 wrote to memory of 3568	3320	msedge.exe	83
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 1760	3320	msedge.exe	84
PID 3320 wrote to memory of 2784	3320	msedge.exe	85
PID 3320 wrote to memory of 2784	3320	msedge.exe	85
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86
PID 3320 wrote to memory of 4564	3320	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://sg.bill.com/ls/click?upn=u001.se4SimOEkqgQ32qtQ-2B6PfJKZbENe-2BfvXWZXi-2FT-2Fb7E-2BaqFz6t3fes14BRUnrXDTfD5jENGK9GNsIBc-2BtUzK1T65szsTIwpGiR9NvkajSnsUBOY8K61apBcIbCvW3dfiZGe5SGIs506sNIdCpsISBZfhKP4kF-2FLCCQfDafK8QYTQUACMSdQDvEqZUM2Ngwiv29BjNzVxzYu1ZEGON0s1Q3f3WVVh36kJg6gFH4OaDbCRbfP-2FCM5wXcEsi1hv33zYEdA4PCkkNSLyi1H2h6BYTVao0GBW1PVk1HhHM04i-2BNDI-3DwuI__Fgn3foq1WCGgDYegsh7LWDuAYR8ATnUuXze-2FXDaKqVtOLeerznMqdY-2Bwy0Xf1dBcuJHZz-2F7-2FsuHwgINdcfPg2DtfvB829MTZvIggxs8anxO7SNru8vaSWpbUfcetbG6ow7MEQlLscMBpp0-2FarebRjB-2Bws87MfYNI-2F68OauZG4BoEL77cE8lcNGyYqxvTzytQwf7Yyf9WzpcwKZj4OoB4MZmROpzUNun6kzTEa09Bzmg5xXt0PKcCBqbmRbAHIluEqwMMplE5cNv2hby-2FHJ9WSpFvmQjkD3ydRzGUvanJqdzAXnf-2F-2Fo3xcEMamsBFJxzftptoxxq6GHdeFAn-2FDYtPhNo-2FfxV0jPjwd69OFsTG1N-2FM43-2FwKkb-2FO7STILW-2B2uERNLFOJsfHQ0QV82UxS7JzTf-2B43aFujMig6YhloJn-2BbvrA2OsqUVtrcp8qJ45ALidAlo5EPS0HNL6GGcjeknN1HARFHq8TBVuj9B-2FJCI-2FNX2-2B1WJRsTIkZyfj-2Fozi7x9jY1Z-2BlLBavvnyIDH1tObylYg-3D-3D
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7fff7fd646f8,0x7fff7fd64708,0x7fff7fd64718
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17912206795616725688,9187694215136863164,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0bbafd65-0813-457b-aa67-14d54ca83c36.tmp

Filesize
5KB

MD5
0d1fcebc16332b93ff43fb944ede6650

SHA1
dfc50dba0aba67941b5949833ff8c8d13aea30e1

SHA256
19a2547369053d42c6071e0988ad2f9d7c74143ab2d66f051383ba71e872e3aa

SHA512
bc93762f27a4da671b9cf0833f80ae2b34fd5ace15f4cbf1c4b3cb089edb5db2663b42c62bc9575fbd8cfb9ca6bd53236e2951bc8486ff9b7dd9121a3894c10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
aeacc6df637f502f4eb57153b05d2300

SHA1
247046b49c5c1c36e0320d736bb92de3e2239afd

SHA256
114306dae0bf2f6e189506abfbbd1ae29e70b367c74735afb4e29d3c2e33579d

SHA512
d83c76faa19cf9988d1b3f3c572d175dd814ab5c40aba9626b0d01e7d102d6bdf8d36b8ecbe0ea2eaca195aae251bc4fc63edf13c7dde7c09003a508bf2307d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_app02.us.bill.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a58c18510cbc10fd6e9094ab391936af

SHA1
27c4ae88c5e487fc58d46a15d037384a7341b962

SHA256
0aea422ccad63569b73cb8c5179de673e2519bbcab7b04dc1c3fd16d80b4a775

SHA512
5b931bba8cba0d899d099f5a9c167a7e3b4ff687e365008bbb27dc5540101a75aa1a11f04586ed368597a3f2b503499610424eff5490a090ea2aeb9d2f7fc97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
504d4fbcf4ee3c1439478784b76795d1

SHA1
adb8fdc671c396fad70a031b6d48e82da2b24405

SHA256
b808343b09bc0666ef39da4ca99eb0963561dd36d65df437c87f7d6cd693e111

SHA512
ff7ad9154c3db7efab1611841fc04fad5fe65c5c62083221c162653ca2fbc6a5190b5dc7ba44924301c9f9beb43514b7edf468a424dac499d34079138c5e71e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
874ec1eb6651b14848435fc0db8cf9eb

SHA1
3efca6fd5e68e2f831ba4ad886cc22181402a3a1

SHA256
80a548465fe470e74746dcd9599a4e1b5589de08f9e0bf07cf2e557db10e8b2f

SHA512
332deb0a721122ed0a1655a8f5ba47835676aa4c7f87bf7110aa471662f13ea85022ecf2813840b1c3e92fbd2d6d8c0fd2fc3a24d7fe050c2ae6893362894fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57de5a.TMP

Filesize
48B

MD5
4d1102eae3ff504dd16aace6de835037

SHA1
01b6a749c4a45faaf1e90396071abbe88e687de4

SHA256
b79c6ea4d0d80d8b9cc1c857f207f213e7c21a11efeb29cb2bdec93307cd6438

SHA512
9df01e88f52fbf3b9c84faf95a99d8434139f19a16d7e35f60f3c1982e43559d2e06e9ced858702e924bb46fc641c22f18df6b49d4622746f461630f65c4a741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b6401bafd5c482621efc6e4405489bf

SHA1
e31506f3dd08b606f9841c4ee0113e8a8ea5f872

SHA256
931acb3d53a758c1aaf23d4bcb736c53ad38537ef5dc64780b3a4aa6524288fc

SHA512
076e9697a3acb7987fb00e9549405184797370dcc8ed8368c076408b795e69f08ea56d4721f57c3611f38561345adfbb7a0cb9350cd01d7b3ee64266d645c2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd4d75af8db1e85a0b42fd4abd04d4f3

SHA1
cfb341e98b38c45ca24bf8e906425eb5b7e73f8c

SHA256
cf8589f623f5b18318bc40f7c0d91b6f4df35753d807f9e504954b89015896fa

SHA512
583e22750aefc2b9e814fc87e7d87708b319b009efd049b497a8e135d4f44cfffea6fd1d8005a0d5c8bc22537882ef1fe1bad7bf6d1c9aa3b94fda01bb4d6cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f422f676f0ed962392d8536287f0241a

SHA1
04e8a15968046b95f5fdd06733c6a9ba4a19b33f

SHA256
5c3f334c00c28503d35c8cd836b5fcb47db449788d6efb1e2a5c9c63eb5603ec

SHA512
936896ef78ad30fb42c4b5c9607d1db02291c6da38a045b39c5504389fff264b9c3fac33d946c7bcd2a2e41741cfee3735a455edad449baf93ede5f330b1e2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a722c8d9917e3fee803e1b20c951a881

SHA1
f5f35ca138fac35651158fe3b61f60169549af33

SHA256
1fb33e471abb7885a508ecf44b55af09ecbc425867edde399114c850e5cb1a5b

SHA512
11c46163f6f71490dad53398440de3bcf334c3a4cda6c2e871509baa8868d8c29f64ecab5461b180efc0a28f38c04ae037a225340bfe36022c4259b07840a982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d0ec.TMP

Filesize
1KB

MD5
cbc97d1b3f9abaa80281b6441d82d155

SHA1
9963fb6e97fb86db0a895fab716d81e0312cc577

SHA256
510591ddce7968d57026cb1754a9ef9a7de7d367dd8c5a9a1073dbb0a598bc58

SHA512
b6833b8de1dd75dc64574d25347b655d5e552928ca3279894cbb98b781f288428cb8e4faef1a7a9fab8be31847bc6073ca9b2ba277513970c72763f472eba2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4e48fb6289788d2fedf3b628ebfa3c1b

SHA1
b10199a863bb4a00ffc4c590c96455b028adcb4d

SHA256
e2776c2e9d2887ee6a44ddaa8bb4f1def6d5f2c41ce844652eb1180580a84c99

SHA512
679d78d23f3b59052df1eece171cbff371470d667fa5e4251a1d8e9046f6a3c76dcaa8409e118a50ece7527c1789b3d83c8b37079cfe08bde4a6e4bb9b340d76

Download Submit