6803c04d37e75a73d57b012f74dd6440c527dd6fed42eaf3343566ddf404b0e4

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

forkahexagon.ps1
Size

1KB
MD5

d31ce2ac03452da4e7614de5650daba4
SHA1

7ac68b3a389b93cc123ab838703f7c8080925137
SHA256

6803c04d37e75a73d57b012f74dd6440c527dd6fed42eaf3343566ddf404b0e4
SHA512

8191ba3d9ae40d33cbeec88f481daff5727ed25074b3e948eff3452082c79898516b70741896b99e1dd8a99425b3e0f6a92daa54a8b2459f21c96589f7fb5f81

Score

3^/10

discovery execution

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
224	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
224	powershell.exe
224	powershell.exe
960	msedge.exe
960	msedge.exe
2104	msedge.exe
2104	msedge.exe
852	msedge.exe
852	msedge.exe
4472	msedge.exe
4472	msedge.exe
6136	identity_helper.exe
6136	identity_helper.exe
5660	msedge.exe
5660	msedge.exe
5660	msedge.exe
5660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	powershell.exe
Token: 33	5652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5652	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
224	powershell.exe
224	powershell.exe
224	powershell.exe
224	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 948	224	powershell.exe	88
PID 224 wrote to memory of 948	224	powershell.exe	88
PID 948 wrote to memory of 2560	948	msedge.exe	89
PID 948 wrote to memory of 2560	948	msedge.exe	89
PID 224 wrote to memory of 852	224	powershell.exe	90
PID 224 wrote to memory of 852	224	powershell.exe	90
PID 852 wrote to memory of 3024	852	msedge.exe	91
PID 852 wrote to memory of 3024	852	msedge.exe	91
PID 224 wrote to memory of 4660	224	powershell.exe	92
PID 224 wrote to memory of 4660	224	powershell.exe	92
PID 4660 wrote to memory of 3000	4660	msedge.exe	93
PID 4660 wrote to memory of 3000	4660	msedge.exe	93
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 1416	852	msedge.exe	94
PID 852 wrote to memory of 960	852	msedge.exe	95
PID 852 wrote to memory of 960	852	msedge.exe	95
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96
PID 852 wrote to memory of 2012	852	msedge.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\forkahexagon.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=oHg5SJYRHA0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbc8746f8,0x7ffdbc874708,0x7ffdbc874718
    3⤵
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18045497800246451527,12977072998274049876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,18045497800246451527,12977072998274049876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=i+got+virus+plz+hlp
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdbc8746f8,0x7ffdbc874708,0x7ffdbc874718
    3⤵
    PID:3024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:1416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:2012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
    3⤵
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5344 /prefetch:8
    3⤵
    PID:5584
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:8
    3⤵
    PID:3012
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
    3⤵
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
    3⤵
    PID:5124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7923873056693884510,13387570287331486432,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6128 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=4JL0nLDq4to
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbc8746f8,0x7ffdbc874708,0x7ffdbc874718
    3⤵
    PID:3000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,13081949939596101504,1050152483266294588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
47KB

MD5
97244a4b866e404446dc139016cf23fc

SHA1
54b2c9d1498907d75c6722b145729361b2353f47

SHA256
2fb7c27a7ff245726c6d886d5342cbd81ebb451c0dcd9a231af2252e8952ffac

SHA512
aede88d704c2bc0210189880d4260b9e35a9081eb21c51409048287ff35fa88aeecb036661baff2605419897ab644a4fc8e7fcfd93c14096d5e91503f5a4fc65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
215KB

MD5
1585c4c0ffdb55b2a4fdc0b0f5c317be

SHA1
aac0e0f12332063c75c690458b2cfe5acb800d0a

SHA256
18a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5

SHA512
7021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
a2aea692ba255610fb49fd92b28e28eb

SHA1
61c2ee85ad2c61b64f59c54e1a97e821dcb118fa

SHA256
1c7588aac16fc9cc7cf94c253393a02920d586a800ad430e910260b38a0021b9

SHA512
ee67bdd219cf8fb419de1e6cef4cfaccf9a1fa55fdbd2c2247f8c84e09d6664fc1df09e2bbebf270df4e195dd1130acc4b5301a13dc2c0f9365eb11eb22e6b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
73f867fe5e4a8e598e898e7b4cd8a36d

SHA1
ee8241e9a3f46d2ea3bd884f78ca07df7f766582

SHA256
2975c40784e1adeec0653f0b183b015d945e9968bd4ca812c617400bc5485571

SHA512
436de94f2e22949d3ed31579c881873273f22de9361b7ebd8532fb2f5a1b4e46200d5f2556068246bfb3642c13e195c1fe589eb36fd517c5586ba056c524135e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6e3754144f13be4091ece97f4d45811a

SHA1
f4271a5307306c9a3aad5fe8b94b9e7604fef213

SHA256
abb5ca3255815220915809b2a2099966dcc8de13abf2db822e732e8ea11f1306

SHA512
2a0ea38c869e8b81a9e560e231b7b93350ea884092bf24b8cb5c06f19b2de24845b582b01c68a1f0f65663055dd56ff7fb2f854bc8757457aae03891130d33a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
38d0496ed3b59b9adccbb1b6765b9f6d

SHA1
fe8e506e588f5991abf19206985dcc289eb3c8fd

SHA256
45bdbb384de65d2be70d19374521d59224803015e44327254e85763518e94566

SHA512
bcb4870a89ae7d4f96c25da9371bf8efc007cba178ec29d6ef3b6bb08d8a4af937bcc20d42d5a5ed2652c818d1e70db53e57f50b1fd479570f321eb3fd246f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a55c6b7649671f6b745d4c5e0302319f

SHA1
0c6d075b2f6ce651bbc7f651e886f1b27436dea1

SHA256
9b0797833be7355e9e1da05be2d7bdf3d44662a20cf42bc0f44c00ce22e522fe

SHA512
b6e5885f150c0ccf4083f8982e234237eaaba947bbe0d44a06699980d41e631fc97cacfc946d6b4deed46d3763155d6f3412e61e11af750ba59f574a939554e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c9fe961b6ce4955ee1439027d83375fd

SHA1
951b72f9692a821fe2e21589e86851f12e2525ed

SHA256
6b6491e49fcb03e9c51a8f636cc6e42ee15e2496c386077da1d4a9cd65760f1e

SHA512
814c7ead28a386176cb43bbec16b7e7addf3a16d8a07aa38b07a6222c0ff98f50b5bf9067449f1beb80ed945ebf7a567880358023410f785286d85875cb5e0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ca732c29-009c-46d8-95e3-1de330fae43e\index-dir\the-real-index

Filesize
2KB

MD5
1f3f150bbb7c101068f65c52a298d2de

SHA1
aec96df9a78d617ccc3842275274eae134c6be59

SHA256
d9879bc7510b7875b101b3e2aa9cd23174c323517b01e8a47cf8a9d2aa2f0def

SHA512
5284a6962e90a946f6e360f3cbad2e91fafb27062257e0aec0877b62ffa9ff275d356ab499e31ebcafea96139e1073266ed9493ebf4c89220dfc50a160c16fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ca732c29-009c-46d8-95e3-1de330fae43e\index-dir\the-real-index~RFe583582.TMP

Filesize
48B

MD5
7f30fbe5db0727af895ad43d5af170d3

SHA1
592d735fc0e2b6d0c64095e484ca6d3246e6b46f

SHA256
b0df388fc0b8811919f09cfbcb48ede63a6562d72278d797452f9b94ac76ee6d

SHA512
b562c8b5e192ba9497cc258c97787fd0414a838c3bad1a6fafa4e8e5319e46e733ebb2b5b1be9571dea81b0807a5e59cb5e50ee813b63b2acb7b72bbb79dad91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
348af5365a5bd9fe67747da67dd82e2b

SHA1
766f24d73683a03d8bab040bd2503a788c7feee3

SHA256
66500b36909ab13a9f0a0bc8907b498b57953d1d6b560034462a586ce641db6f

SHA512
be20be89a557a66fb4b1133693d02a9db5b1ff06804dbe80acc0d3ab14dca9f7c1992f40c92adbdfd12c75afe72aae93a14e5cbfdfea0f7c0ab6e8e046a2b308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
9eae4c203b7bfb982b83c8e2716a867f

SHA1
f6226f8cabcab28ed1e4e4e7430967f02ab0dc65

SHA256
363941e8a9438f3e204e093fff842eb233f2fa5fce7b7bd91689e28c03cb63fd

SHA512
04d765db501a1014b920262d14112e56637cf259b0a250a4ae65db380f32ff36a767dd5a8104b40e8651bd8caae0262c84ab33cefac12e5aa198d68ec3e8d121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
edfcc10b0d0f7ca1cabe90938f4685ff

SHA1
e48ad4b9c1e9cfefbeeccfde2cb5739cfd73327b

SHA256
7eaaf393f1df57c499aa22f2b9d116eb2a22e3b6bf484e1908ae5b1eb342f8ae

SHA512
739adc9126a6789739f2a2811431aa734e98a249934e244085f7eee1ca094e74f1e3f8294df94a01fc93ebef79ec4bf38537768af07a3be244bdb9ddfb6f2b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
217de56a76e3ce7956ad22c28bc35002

SHA1
f2b77ba7f3942df956926801843345dc65a02926

SHA256
306de0fed5e1247f291820a5c5f67e129e919a6542660b2cda6cb54b5a268281

SHA512
ea2c53275669138dfd39af7988a5dc4ce63e2c7360ea339db97e7516fd060f2c1d1d76f4d3c847c86beaf7d86228df01d3beb5816aefc49bf18c170749e44f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
b1e575009880e0394f6417c10c1c50ac

SHA1
4aadd0d86bd72544dfff604c69ab33da7bc0cb83

SHA256
7c6882edb13e5c445124c5cd39d73b17a13f907337eecfdf246dbe89fb05363b

SHA512
63693f0ec931de4855670a2b852c863be347dfa69ef58ccdb10e84f63ccdb69650b7a6a1adb66fd942c483cfe1fa7ad11975e412929298a0c1607c585b4005f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
3eb8072586c5e006e7edca1a839977aa

SHA1
ce859debb9d94c5c0b57c982b8dba7deb7699bab

SHA256
572d4547b210da10eecbca2f129b582d00329117add7d5dad28bf149cafcc890

SHA512
1d2ed4f6d1cd3dca0dbb07402fbe97adde1fc405d79dbb4434f6bc681c29cc307e6851c340e35a2082332a20db30393b0a3637f99135ff40d8cf53d5c783ca0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ff66c1d51a6bac918dc5490a29402efb

SHA1
4566b23435545685b19669ecd82d2454addd19f7

SHA256
71a1e6c20aadb27f06e7a9e0ae26f9fb0a749593976556de684ef8b5c60ec8ad

SHA512
de0d5f2ca1a36c5eba96ee2f3a9175de2ccc4b0bf1057d5bb50d4af2a14b89ddddc5c246e1a1eac8e90c28dccaefb56085e167e2c32e36e211f7bdedbd5c651b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ec35.TMP

Filesize
48B

MD5
b660c607117bc0dd882648b939464f47

SHA1
6d44bc73a3ddc6f23fd4e72b7424b3ff4b71f042

SHA256
f650cbbd98ffb63e19da167ea3f4eba872e581d2ab893a5353b2be945392dad7

SHA512
76754312a8048f6170e5cd8aad0d548be6e8b4ef578ae0318be1c6d0fc3bb2006d7dedc459fdbaa05a053c2ee92bc4b07e12bc8064a6a10a5e1ad202df144233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
63cc791ce731e362523002989bbdb330

SHA1
d8acc3d46cd7b80603c941fcf58d063863d98d44

SHA256
dbcec29a792ccbdaa3f5ed71fd684b9460978bffaa9787c3dff3cb9391fcb13f

SHA512
2af72010a5650add02a1fad5a6e15ced6253872d0f93bb87da59b09d925de865160e0f03430a5cf1a284aa58b54d4a5209e29503689bf9d50dde8959dec73821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589853.TMP

Filesize
874B

MD5
195a0ad0899cb88f9d66ca495f721d14

SHA1
3d8e97b46a22129178716550650c2d7129940a24

SHA256
5f3141d304c36aff931640cf6c59e6ed0cd8a81bea7e4ba554d9fda48dc5c495

SHA512
aa9246d05623ead8f1b4b00c7c680e8510369eaf3bfd4b501080b82f264a6e29fd9243bc0b45e66f857d2225aa85766e3e3b56261415e11bd64703a488a31765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51a00620f962e5c5bb1a9a7400615bf5

SHA1
4b419d477a20cc7567b076b439bb3412fbc6b36d

SHA256
e7d016582842c5dc7aef29a4cc08c91fa46f940c7002f69e0ed8ed22d2cd5820

SHA512
8c15e6ac1a66a70fe60a19417930fdc85a640a1d872dc1cd36000b0d011ca2d4fb876d4915aea2c72f00945e7ee8dfb00fc539d7c805cdc8b4030c5b3bfff757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bfcadb3f25a01ef69e4aa06943c12c21

SHA1
8acee1020bcf73cbbea8c606a878c8bf5a348a82

SHA256
08863d472afcbafe204c9d46010695999bef5456d7103f6388eea6632ae35f1b

SHA512
e81fb652f80f7737ea9961c9e85520e31d820113b83ff00b149bf3882c5718cb5ca4307a5a68995efcfa321eea5e03038b925bb9d3c7e504097eb0a5619a52c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6af3704519fe1debaff61d220e01433b

SHA1
f3e9664a10e9a6c548974383a2c28ba0858858d8

SHA256
e35ceaa5cef8653e797dad86e25a2133c7d5b8daf4c20cbf991163783c1d0ef9

SHA512
641702857c7473d85747f127fbcdf9ab6054bd58dc05761bd05b9f238e6128178f53e0b05cb26b4f756e21231cafec4cfe9a844cf9446bcc9bc1492c2f980328

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjpzzth1.ofm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/224-16-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/224-14-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/224-13-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/224-12-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/224-11-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/224-15-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

Filesize
8KB

Download
memory/224-0-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

Filesize
8KB

Download
memory/224-160-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/224-1-0x00000230D59B0000-0x00000230D59D2000-memory.dmp

Filesize
136KB

Download