hxxp://getwix[.]pro

Resubmissions

04-12-2024 22:46

241204-2qapja1lfj 10

04-12-2024 22:44

241204-2n85ba1lbm 3

Analysis

max time kernel
73s
max time network
74s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-12-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://getwix.pro

Score

10^/10

discovery execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3160 created 3076	3160	driver1.exe	50

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5864	powershell.exe
6088	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3160	driver1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\75cf26d3-4d76-4cd3-8a53-09139250eb0a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241204224902.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5392	3160	WerFault.exe	126
5380	3160	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 4 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	83	Go-http-client/1.1
HTTP User-Agent header	93	Go-http-client/1.1
HTTP User-Agent header	97	Go-http-client/1.1
HTTP User-Agent header	101	Go-http-client/1.1

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3660	msedge.exe
3660	msedge.exe
2680	identity_helper.exe
2680	identity_helper.exe
548	msedge.exe
548	msedge.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
6088	powershell.exe
6088	powershell.exe
6088	powershell.exe
2536	wmic.exe
2536	wmic.exe
2536	wmic.exe
2536	wmic.exe
3160	driver1.exe
3160	driver1.exe
3160	driver1.exe
3160	driver1.exe
5108	svchost.exe
5108	svchost.exe
5108	svchost.exe
5108	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeIncreaseQuotaPrivilege	5864	powershell.exe
Token: SeSecurityPrivilege	5864	powershell.exe
Token: SeTakeOwnershipPrivilege	5864	powershell.exe
Token: SeLoadDriverPrivilege	5864	powershell.exe
Token: SeSystemProfilePrivilege	5864	powershell.exe
Token: SeSystemtimePrivilege	5864	powershell.exe
Token: SeProfSingleProcessPrivilege	5864	powershell.exe
Token: SeIncBasePriorityPrivilege	5864	powershell.exe
Token: SeCreatePagefilePrivilege	5864	powershell.exe
Token: SeBackupPrivilege	5864	powershell.exe
Token: SeRestorePrivilege	5864	powershell.exe
Token: SeShutdownPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeSystemEnvironmentPrivilege	5864	powershell.exe
Token: SeRemoteShutdownPrivilege	5864	powershell.exe
Token: SeUndockPrivilege	5864	powershell.exe
Token: SeManageVolumePrivilege	5864	powershell.exe
Token: 33	5864	powershell.exe
Token: 34	5864	powershell.exe
Token: 35	5864	powershell.exe
Token: 36	5864	powershell.exe
Token: SeDebugPrivilege	6088	powershell.exe
Token: SeIncreaseQuotaPrivilege	6088	powershell.exe
Token: SeSecurityPrivilege	6088	powershell.exe
Token: SeTakeOwnershipPrivilege	6088	powershell.exe
Token: SeLoadDriverPrivilege	6088	powershell.exe
Token: SeSystemProfilePrivilege	6088	powershell.exe
Token: SeSystemtimePrivilege	6088	powershell.exe
Token: SeProfSingleProcessPrivilege	6088	powershell.exe
Token: SeIncBasePriorityPrivilege	6088	powershell.exe
Token: SeCreatePagefilePrivilege	6088	powershell.exe
Token: SeBackupPrivilege	6088	powershell.exe
Token: SeRestorePrivilege	6088	powershell.exe
Token: SeShutdownPrivilege	6088	powershell.exe
Token: SeDebugPrivilege	6088	powershell.exe
Token: SeSystemEnvironmentPrivilege	6088	powershell.exe
Token: SeRemoteShutdownPrivilege	6088	powershell.exe
Token: SeUndockPrivilege	6088	powershell.exe
Token: SeManageVolumePrivilege	6088	powershell.exe
Token: 33	6088	powershell.exe
Token: 34	6088	powershell.exe
Token: 35	6088	powershell.exe
Token: 36	6088	powershell.exe
Token: SeIncreaseQuotaPrivilege	2536	wmic.exe
Token: SeSecurityPrivilege	2536	wmic.exe
Token: SeTakeOwnershipPrivilege	2536	wmic.exe
Token: SeLoadDriverPrivilege	2536	wmic.exe
Token: SeSystemProfilePrivilege	2536	wmic.exe
Token: SeSystemtimePrivilege	2536	wmic.exe
Token: SeProfSingleProcessPrivilege	2536	wmic.exe
Token: SeIncBasePriorityPrivilege	2536	wmic.exe
Token: SeCreatePagefilePrivilege	2536	wmic.exe
Token: SeBackupPrivilege	2536	wmic.exe
Token: SeRestorePrivilege	2536	wmic.exe
Token: SeShutdownPrivilege	2536	wmic.exe
Token: SeDebugPrivilege	2536	wmic.exe
Token: SeSystemEnvironmentPrivilege	2536	wmic.exe
Token: SeRemoteShutdownPrivilege	2536	wmic.exe
Token: SeUndockPrivilege	2536	wmic.exe
Token: SeManageVolumePrivilege	2536	wmic.exe
Token: 33	2536	wmic.exe
Token: 34	2536	wmic.exe
Token: 35	2536	wmic.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1328	3660	msedge.exe	81
PID 3660 wrote to memory of 1328	3660	msedge.exe	81
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 824	3660	msedge.exe	82
PID 3660 wrote to memory of 3508	3660	msedge.exe	83
PID 3660 wrote to memory of 3508	3660	msedge.exe	83
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84
PID 3660 wrote to memory of 5032	3660	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3076
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://getwix.pro
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa1df346f8,0x7ffa1df34708,0x7ffa1df34718
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff655625460,0x7ff655625470,0x7ff655625480
    3⤵
    PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1537827704084260805,13104205349479891036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:3092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5468

C:\Users\Admin\Downloads\Wix\Wix.exe
"C:\Users\Admin\Downloads\Wix\Wix.exe"
1⤵
PID:5676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Downloads\Wix\Wix.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads\Wix\Wix.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6088
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\ProgramData\driver1.exe
  C:\ProgramData\driver1.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 392
    3⤵
    - Program crash
    PID:5392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 388
    3⤵
    - Program crash
    PID:5380
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.exe /sc onstart /ru SYSTEM
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3160 -ip 3160
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3160 -ip 3160
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\driver1.exe

Filesize
1.1MB

MD5
9cff7f2ffa235062a389eafa44385df5

SHA1
97f06a91915400aaf0f2e93352172395e9dc1c66

SHA256
1103d24428005f23b7c88bdaafc615d1b4ed4320f3554e096712c80dfc4048f8

SHA512
aa242d26d02ed4eefe317781ad0692a2e70269221b26042a6f9e47ae18e286dda5dac3959397f85ea4a40ba82206a553c4b5e82962393142e45ab235fffbeadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
467bc167b06cdf2998f79460b98fa8f6

SHA1
a66fc2b411b31cb853195013d4677f4a2e5b6d11

SHA256
3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd

SHA512
0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc10dc6ba36bad31b4268762731a6c81

SHA1
9694d2aa8b119d674c27a1cfcaaf14ade8704e63

SHA256
d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f

SHA512
0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
2f727d760f8d9901e5d5c4dc442b2746

SHA1
a2523f1af0aa20285fa2b7e742758f2cb17b9505

SHA256
7b895f402e9b1fad70672f21a7eec016f91043e6207ca28d18a70eb369be2214

SHA512
3e9678abea3234ec4840969e4815988b36011627e733eb722ffa32c3cba617fbfe4aade2ddeaf8fdcc5ef504ac2dcb41d8c1df68e3769c2a3115adad694ad217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
392272d5eff53fae5fb5245896d182f0

SHA1
f43c8a29133c192c694ff64cee0ff64406ea521e

SHA256
4518f0443ee72868093ce4aac0b3c45c857b51cffd61f7c67202790898a40516

SHA512
82af6a8a2c626e376cb7d924a9248eb28166a2e0fd7bbc1f7e70402f395262d10f79f3729ff200980095b374ed0f58abb901ed6c4926003260bf4a325deb916a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1012B

MD5
9b12d0ea483afc60e407ffa67a3b97e4

SHA1
0413877d3a334cbb4a0bbd6ffb1a7e95b7def726

SHA256
0027f12ebc2131e2f17113cbf72567d4f6807018435de980c3de7ec73516adf7

SHA512
62a9286c2da12287e82f7e25e1ef90e605b359a3188fe16ececcd37045b6fe36b6ef282867fc02bda4defdf0b0c82da2a1718da05cab4f4e6f508542e334d148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5f1e4f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
63b21264ba173c3a9cc040650e6d4ac4

SHA1
0cb7dd74acb8ca513030eb0af4678d1bc34fe9a3

SHA256
80c5068638c1d8f0d9dded31a0bb05860568af1e5fb6066bdb1c3665c1fb98a5

SHA512
d84a7868b7cf79ea1dd8791f399919e981f361b8f04b4c6ff528fa39f20e127f45ddef2488dabffa2748981caee0c80aa632ea043eb94fefc95bc53bf81b00c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f090bffa3088cdae8f5cb185e4fb7b55

SHA1
c53793205d82711b780232b78ac28ed762844acf

SHA256
3f4c27802f73e3afbe38a7410feed570e024acb3b896500589ebc330a0336bf3

SHA512
7cba18d2ec49923e4056bdd9a5dc74d577f57258f3a0e4cdcbacd97673b232d9ae1272676bd7ffecf41c265417f3b9802e90eeba0528a9da54673fd7f8f31495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56d8d803003f055fed6d5b0aa879833c

SHA1
5cef1b1155d0a09566ae7ce697df2119837c48d5

SHA256
4661a28a2c2f1ca9a2ff4dc396322de3cb7921c3d270644c17d395e6e48a37e8

SHA512
bd552a65aa64167e5c65cf4140e2f244247e139895a78af4e45927d184815d984da22cc6d7b4885e9c3862265c9ea047ad91d5547e6edce4aa7473f800fa6b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
345973f0f34106d8066adfb8078e924b

SHA1
1eb36946c0a287b18324f27a26aadf33ff1665ca

SHA256
54992a0829b03d1ded585c6065859755de6d0c9bd5351b4d9b2b1ec73aa485df

SHA512
ea7a7358319d192b72a64f2844331cb69c2d6d1a263b671c32bc2fb887c07cce250a1d26c6feb7b7172ca777550d00c97b19f54712206c58730227b06654927d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3b964859deef3a6f470b8021df49b34d

SHA1
62023dacf1e4019c9f204297c6be7e760f71a65d

SHA256
087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5

SHA512
c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5c2d5c900312f44e72209416d45723cb

SHA1
68fb8909308589149399c3fb74605600833fbbc1

SHA256
56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8

SHA512
07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8aedba9fbd8bb82d40e1135617776c5

SHA1
3045854fc831e94675bce01adfb9b1e0ac66a270

SHA256
331bb8fa791f162c5e63cf0bb62189d6edf5497a65cec1fe23a189be1dafd4d9

SHA512
0bcd74eb15277bd6c50a4e2aced97c2b4b745137318b16a441b2411c7bedff2f9b5ef556909792d60ef0f728cc94aa5d9ae5a7b01b38ff63922802fbf8b260f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9bf6e88429a0f35fa307a3d939d0085f

SHA1
6eba2ac715249a5bdc54a8d20a9ac0cc055da4b6

SHA256
8ed30d3aca5da8bd7b60eb6ad786a219ee09f466004347578596a49624aad365

SHA512
a681f67392d45de7742e10307b770f478f89c2a4eb8d460e1ce95c67ddc42cc824f2bd0604b0576220f5a70e511cc590158e596b51f60dcd9acb6a78e8e7b81c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
058b3ed1837c115f03699c999b044e80

SHA1
50840134649fcd57e1530886786764936080f9e8

SHA256
9b3e4e21ddbae65c5cc226586567d370798c9a33204d5604073b87af3ca5d033

SHA512
30ef5afb798b41e44bbeb035497d702cf71aac727a9b48e4b41e93474e80325b047b1804cf5a22821c3f33f95595bf1c2d9767de61fe5e2cc71ff42fe2e7d4fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oaapt1gg.owm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4e9c192fb1c0af25e47a41e8adb9ffeb

SHA1
16b2b40eedf53a9ba80d3dafb0dde4eb0ee2ccf1

SHA256
6afbccda73db30826cde0b56f508dfec9bf748b7e457a02f90b7ac34bdd1733f

SHA512
e2568b056f764d2273573b47d795ec01c9833f303788e1d13a4d4bad0636de1980a22a298390fcfacf0d21ee9cb2326851c8472da365fabf3c6f00ae5eea5cb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
34b57b227ed1ec937c5b81fc48a72bb3

SHA1
ae633f19464de0a25f84b8fd171bfe33a825c6a3

SHA256
fcb6d06f5c2bb18c1e41ac4396eb5eb67d019eadef62d1c5cc80c68ecd6c21e9

SHA512
72e2bb8b0040222e0623e12f574d0b2275a1d63d6be60a21153204ca6b36eea3d06af50cfa6a390678abd2e63fb8171c9cf8f3f8f8ebf845a1b68632b6368f0f

Download Submit
C:\Users\Admin\Downloads\Wix.zip

Filesize
30.2MB

MD5
ec2ded854e797340f7dd38ebde75982e

SHA1
5493348e812a1683cf9df2d906ae6758d5489fa1

SHA256
71bf189ebc55138bfce56f63efcacdb2f277d53215883fa0895810f8403a2d5f

SHA512
9a27d3c9bef51b2ceaa0e6b713e9f6016c77ed4769de90720abb38b52f3505ea91aa9798279570f2c4b52f81a02384d6451e594aa666b4c9eddedbf0e5f625e7

Download Submit
memory/3160-293-0x0000000001280000-0x0000000001680000-memory.dmp

Filesize
4.0MB

Download
memory/3160-294-0x0000000001280000-0x0000000001680000-memory.dmp

Filesize
4.0MB

Download
memory/3160-295-0x00007FFA2D9D0000-0x00007FFA2DBC8000-memory.dmp

Filesize
2.0MB

Download
memory/3160-297-0x00000000759E0000-0x0000000075C1A000-memory.dmp

Filesize
2.2MB

Download
memory/3160-287-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5108-298-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/5108-301-0x00007FFA2D9D0000-0x00007FFA2DBC8000-memory.dmp

Filesize
2.0MB

Download
memory/5108-300-0x0000000001000000-0x0000000001400000-memory.dmp

Filesize
4.0MB

Download
memory/5108-303-0x00000000759E0000-0x0000000075C1A000-memory.dmp

Filesize
2.2MB

Download
memory/5864-256-0x000001ADF5400000-0x000001ADF5422000-memory.dmp

Filesize
136KB

Download