f66238b603338a2d61fd44c039d1ad890a6c5d547f3c50bf9fd6067a5372d3d9

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fisch.ps1
Size

794B
MD5

bcb418824c3ec771ed43ee14d4993eb9
SHA1

477ede1bacf540e2d0c410ca6046ff38ea2f0ed8
SHA256

f66238b603338a2d61fd44c039d1ad890a6c5d547f3c50bf9fd6067a5372d3d9
SHA512

ddfdf53c2c600abc88aefcabc1faeab474538f6864fe9626acf85289e967530029b313fdf493f02dc774687aad02bf2bbdf07d717d0175cc69414f854a1950f6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{881CA412-605C-4279-9DA8-EAA8593D69D2}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6032	vlc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1052	powershell.exe
1052	powershell.exe
1052	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6032	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
6032	vlc.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6032	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 492	1572	msedge.exe	125
PID 1572 wrote to memory of 492	1572	msedge.exe	125
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 3572	1572	msedge.exe	126
PID 1572 wrote to memory of 772	1572	msedge.exe	127
PID 1572 wrote to memory of 772	1572	msedge.exe	127
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128
PID 1572 wrote to memory of 224	1572	msedge.exe	128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fisch.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3836 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8
1⤵
PID:1504

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fisch/
1⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4584 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:1
1⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5016 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:1
1⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5388 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:1
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5600 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:1
1⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ffbbe472e98,0x7ffbbe472ea4,0x7ffbbe472eb0
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2260 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3264 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3368 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4852 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4908 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5208 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5484 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5620 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5440 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5408 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5408 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4812 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4872 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3980 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5996 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6084 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4344 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6432 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5208 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6080 --field-trial-handle=2264,i,7469861692350842817,16092662785155048756,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:2276

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RegisterPush.mpa"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ba81af2aab0892225cf46a6b68c5a263

SHA1
dfaa4c862fcdd465723814f7f860a4d6e9b2cc86

SHA256
a10c6b18898e145918dc01a12efbb379175c4832f293c4382189cc7f974d49d9

SHA512
edfaef8c2cd6d80da5002cebbc4d5b097e019dac93a55401d62515e5110a6f0e1d484eef293a047e433407e6324fc3d2fe7a4f58aebbeb57dddf1d48f1873b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aec4dcaea35e8945ede57ed0e1fd6d08

SHA1
70a0cc875fbde6a3f72d9048bfb84df5a29df98d

SHA256
d350f411dad54d96167484f367f7ca5b6fd9fd066ee4423a1c6fab015ab1dca5

SHA512
d430f0722f1862455d5d644cffed27133b49c3fd2dfeb1b33aa1c86e8e3ae07517ee0b9b4f7291cee020deca4142c302a74838363c75bb0f0e7a2d990226469c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
911b8bac1ad4ed9044945967c54db06b

SHA1
6841460601290c5aedbfdd01661a7be0d2860c11

SHA256
c24611f54e23895152a10478510a46e687c059e238548eae272b3dfae04fc769

SHA512
09392edb942c8d0dc8f5e980be2cdd2b7f00d96a5e9f21aa61821155a461c7915d377d32d00a59110d36778aada1464d93b90ddb9d3e5c1237e2469a2497c551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
5795242946454f7e38b47792baed086e

SHA1
148cb93ad2f02f8861b429c6f73ba9184ee2565b

SHA256
dade1f78efb7ca07d0480734791a34ce621e1adaea2ad9675a6bf994099c1915

SHA512
57838ce83033e94149c16e8efe67543b67d2dd51ad2e8336b1cf59ff4d4de6b761183257ea181c5fea52b6da0e8c5485247cc253a0bace0ad3be4b2e3b6ed1e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
1fea855b3536bfc31606e1f4f38d8307

SHA1
1458be35119a9af9a53cb4bcb22ab7ee7b74fe7b

SHA256
4be79da6143297ed22542ccf7326188f86b91d7c7e053d3d5cf01ac4b43de912

SHA512
870caf2083853f20336f69e75ed96e67a2a31936a42720e98a4b3fd628ac6a961bac234703e61fbcd76dfe7cfa6dc47d4ae2299e10557759a43f0d8dddbaec31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
58KB

MD5
e1f2d250b23f62e67a554f6b81dd344d

SHA1
f7493a08da3669388a57b2ae455dd1792d3305c1

SHA256
73030b57894e11b5d3d14a9b6c33bc913c946f448cb4e3b915bf34210785ed51

SHA512
c065a3bf06831ecb9d2fda0e92edea93828d5ed299db2a7ed88114931ca8dbac43749ecbbf0c363884bd0c73ded8c8b3a5a8568e76486ff2a9ec9f0ba31225bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
58KB

MD5
d159f56522c422fffdb24a29a941c8b6

SHA1
02a9841f73a61159111f6771dc9b6215cf004168

SHA256
9198b545caed84ee0fc216c64c839b79dc4ff6bb4559b5e75c1e5cd34f203034

SHA512
1b2d81c360ac4d9201244cb8bf245f7ea3e91a1464be2e2daab54eba9b44d6c926845fbeaaa03d963abe460b819a8e7c1046ad2328c10e5fb5fe0f6c53d5b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
48KB

MD5
75e4e2239a41bdfde2711a1c68165e1b

SHA1
d6f756ee4ca5eeabc9428315487f7f41a3060515

SHA256
ff3585818117da5edb659b0152b40363ff50b525b6fbaf3ce134a86b31daaeb5

SHA512
78645ad85c34d66f423dbf63bedd6e63bdc3b4cb40b681bce02f5e7921d5e89de733a381d98995475b0594a86a35f04fb9cfe9b90d31ebbd9c22630c9d42bb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wt522yce.xz1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1052-0-0x000001DDDCA60000-0x000001DDDCA82000-memory.dmp

Filesize
136KB

Download
memory/1052-13-0x000001DDF5000000-0x000001DDF5010000-memory.dmp

Filesize
64KB

Download
memory/1052-14-0x00007FFBC6420000-0x00007FFBC6EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-17-0x00007FFBC6420000-0x00007FFBC6EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-12-0x000001DDF5000000-0x000001DDF5010000-memory.dmp

Filesize
64KB

Download
memory/1052-11-0x000001DDF5000000-0x000001DDF5010000-memory.dmp

Filesize
64KB

Download
memory/1052-10-0x00007FFBC6420000-0x00007FFBC6EE1000-memory.dmp

Filesize
10.8MB

Download
memory/6032-165-0x00007FFBC4EC0000-0x00007FFBC4EE8000-memory.dmp

Filesize
160KB

Download
memory/6032-173-0x00007FFBC37A0000-0x00007FFBC37B2000-memory.dmp

Filesize
72KB

Download
memory/6032-144-0x00007FFBCDA40000-0x00007FFBCDA51000-memory.dmp

Filesize
68KB

Download
memory/6032-145-0x00007FFBCDA20000-0x00007FFBCDA37000-memory.dmp

Filesize
92KB

Download
memory/6032-146-0x00007FFBCDA00000-0x00007FFBCDA11000-memory.dmp

Filesize
68KB

Download
memory/6032-147-0x00007FFBD7EB0000-0x00007FFBD7ECD000-memory.dmp

Filesize
116KB

Download
memory/6032-148-0x00007FFBD7E90000-0x00007FFBD7EA1000-memory.dmp

Filesize
68KB

Download
memory/6032-149-0x00007FFBC4AA0000-0x00007FFBC4CA0000-memory.dmp

Filesize
2.0MB

Download
memory/6032-150-0x00007FFBCD300000-0x00007FFBCD33F000-memory.dmp

Filesize
252KB

Download
memory/6032-151-0x00007FFBC39F0000-0x00007FFBC4A9B000-memory.dmp

Filesize
16.7MB

Download
memory/6032-152-0x00007FFBC71C0000-0x00007FFBC71E1000-memory.dmp

Filesize
132KB

Download
memory/6032-153-0x00007FFBCD2E0000-0x00007FFBCD2F8000-memory.dmp

Filesize
96KB

Download
memory/6032-155-0x00007FFBC7180000-0x00007FFBC7191000-memory.dmp

Filesize
68KB

Download
memory/6032-156-0x00007FFBC4FA0000-0x00007FFBC4FB1000-memory.dmp

Filesize
68KB

Download
memory/6032-154-0x00007FFBC71A0000-0x00007FFBC71B1000-memory.dmp

Filesize
68KB

Download
memory/6032-157-0x00007FFBC4F80000-0x00007FFBC4F9B000-memory.dmp

Filesize
108KB

Download
memory/6032-158-0x00007FFBC4F60000-0x00007FFBC4F71000-memory.dmp

Filesize
68KB

Download
memory/6032-161-0x00007FFBC3980000-0x00007FFBC39E7000-memory.dmp

Filesize
412KB

Download
memory/6032-162-0x00007FFBC3910000-0x00007FFBC397F000-memory.dmp

Filesize
444KB

Download
memory/6032-160-0x00007FFBC4F10000-0x00007FFBC4F40000-memory.dmp

Filesize
192KB

Download
memory/6032-164-0x00007FFBC38B0000-0x00007FFBC3906000-memory.dmp

Filesize
344KB

Download
memory/6032-163-0x00007FFBC4EF0000-0x00007FFBC4F01000-memory.dmp

Filesize
68KB

Download
memory/6032-143-0x00007FFBD76C0000-0x00007FFBD76D7000-memory.dmp

Filesize
92KB

Download
memory/6032-159-0x00007FFBC4F40000-0x00007FFBC4F58000-memory.dmp

Filesize
96KB

Download
memory/6032-166-0x00007FFBC3880000-0x00007FFBC38A4000-memory.dmp

Filesize
144KB

Download
memory/6032-167-0x00007FFBC4DB0000-0x00007FFBC4DC7000-memory.dmp

Filesize
92KB

Download
memory/6032-169-0x00007FFBC3830000-0x00007FFBC3841000-memory.dmp

Filesize
68KB

Download
memory/6032-168-0x00007FFBC3850000-0x00007FFBC3873000-memory.dmp

Filesize
140KB

Download
memory/6032-170-0x00007FFBC3810000-0x00007FFBC3822000-memory.dmp

Filesize
72KB

Download
memory/6032-172-0x00007FFBC37C0000-0x00007FFBC37D3000-memory.dmp

Filesize
76KB

Download
memory/6032-171-0x00007FFBC37E0000-0x00007FFBC3801000-memory.dmp

Filesize
132KB

Download
memory/6032-142-0x00007FFBD8160000-0x00007FFBD8178000-memory.dmp

Filesize
96KB

Download
memory/6032-174-0x00007FFBC3660000-0x00007FFBC379B000-memory.dmp

Filesize
1.2MB

Download
memory/6032-175-0x00007FFBC3630000-0x00007FFBC365C000-memory.dmp

Filesize
176KB

Download
memory/6032-176-0x00007FFBC3470000-0x00007FFBC3622000-memory.dmp

Filesize
1.7MB

Download
memory/6032-177-0x00007FFBC3410000-0x00007FFBC346C000-memory.dmp

Filesize
368KB

Download
memory/6032-178-0x00007FFBC33F0000-0x00007FFBC3401000-memory.dmp

Filesize
68KB

Download
memory/6032-179-0x00007FFBC3350000-0x00007FFBC33E7000-memory.dmp

Filesize
604KB

Download
memory/6032-180-0x00007FFBC3330000-0x00007FFBC3342000-memory.dmp

Filesize
72KB

Download
memory/6032-181-0x00007FFBC30F0000-0x00007FFBC3321000-memory.dmp

Filesize
2.2MB

Download
memory/6032-182-0x00007FFBC2FD0000-0x00007FFBC30E2000-memory.dmp

Filesize
1.1MB

Download
memory/6032-183-0x00007FFBC2F90000-0x00007FFBC2FC5000-memory.dmp

Filesize
212KB

Download
memory/6032-184-0x00007FFBC2F60000-0x00007FFBC2F85000-memory.dmp

Filesize
148KB

Download
memory/6032-185-0x00007FFBC2F40000-0x00007FFBC2F51000-memory.dmp

Filesize
68KB

Download
memory/6032-186-0x00007FFBC2ED0000-0x00007FFBC2F31000-memory.dmp

Filesize
388KB

Download
memory/6032-187-0x00007FFBC2EB0000-0x00007FFBC2EC1000-memory.dmp

Filesize
68KB

Download
memory/6032-188-0x00007FFBC2E90000-0x00007FFBC2EA2000-memory.dmp

Filesize
72KB

Download
memory/6032-189-0x00007FFBC2E70000-0x00007FFBC2E83000-memory.dmp

Filesize
76KB

Download
memory/6032-190-0x0000023EC3D70000-0x0000023EC3E0F000-memory.dmp

Filesize
636KB

Download
memory/6032-191-0x0000023EC2EF0000-0x0000023EC2F01000-memory.dmp

Filesize
68KB

Download
memory/6032-192-0x0000023EC3E10000-0x0000023EC3F12000-memory.dmp

Filesize
1.0MB

Download
memory/6032-193-0x00007FFBC2C80000-0x00007FFBC2C91000-memory.dmp

Filesize
68KB

Download
memory/6032-194-0x00007FFBC2C60000-0x00007FFBC2C71000-memory.dmp

Filesize
68KB

Download
memory/6032-195-0x00007FFBC2C40000-0x00007FFBC2C51000-memory.dmp

Filesize
68KB

Download
memory/6032-199-0x00007FFBC2C00000-0x00007FFBC2C18000-memory.dmp

Filesize
96KB

Download
memory/6032-200-0x00007FFBC2BE0000-0x00007FFBC2BF6000-memory.dmp

Filesize
88KB

Download
memory/6032-198-0x00007FFBC2C20000-0x00007FFBC2C32000-memory.dmp

Filesize
72KB

Download
memory/6032-204-0x00007FFBC2B50000-0x00007FFBC2B61000-memory.dmp

Filesize
68KB

Download
memory/6032-203-0x00007FFBC2B70000-0x00007FFBC2B81000-memory.dmp

Filesize
68KB

Download
memory/6032-202-0x00007FFBC2B90000-0x00007FFBC2BA2000-memory.dmp

Filesize
72KB

Download
memory/6032-201-0x00007FFBC2BB0000-0x00007FFBC2BD9000-memory.dmp

Filesize
164KB

Download
memory/6032-141-0x00007FFBC71F0000-0x00007FFBC74A4000-memory.dmp

Filesize
2.7MB

Download
memory/6032-140-0x00007FFBD7540000-0x00007FFBD7574000-memory.dmp

Filesize
208KB

Download
memory/6032-139-0x00007FF6EC050000-0x00007FF6EC148000-memory.dmp

Filesize
992KB

Download