hxxp://HappyMod-Pro-3-1-0[.]apkp

Resubmissions

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03-06-2024 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://HappyMod-Pro-3-1-0.apkp

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2457560273-69882387-977367775-1000\{2AF90993-7FD9-4AAD-A266-DA2E92B0B723}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
2268	msedge.exe
2268	msedge.exe
1624	msedge.exe
1624	msedge.exe
1896	identity_helper.exe
1896	identity_helper.exe
1364	msedge.exe
1364	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	3388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3388	AUDIODG.EXE
Token: SeTcbPrivilege	5700	svchost.exe
Token: SeRestorePrivilege	5700	svchost.exe
Token: SeTcbPrivilege	5700	svchost.exe
Token: SeRestorePrivilege	5700	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 412	2268	msedge.exe	78
PID 2268 wrote to memory of 412	2268	msedge.exe	78
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 1104	2268	msedge.exe	79
PID 2268 wrote to memory of 5084	2268	msedge.exe	80
PID 2268 wrote to memory of 5084	2268	msedge.exe	80
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81
PID 2268 wrote to memory of 1752	2268	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://HappyMod-Pro-3-1-0.apkp
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeec433cb8,0x7ffeec433cc8,0x7ffeec433cd8
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,14856368798420886085,11547651206256427337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000494 0x0000000000000480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2400

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5308

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:5568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700
- C:\Windows\system32\dashost.exe
  dashost.exe {db12a131-2be9-4b8e-95366fffe06d9c76}
  2⤵
  PID:1448
- C:\Windows\system32\dashost.exe
  dashost.exe {90daeb2b-d6bb-4574-b72d9a7bbe2dd57f}
  2⤵
  PID:444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
da6bc59ac176b18a1de73f35cdbe231b

SHA1
ea40f28af3219ba277664181fd43e63bc17c2a75

SHA256
d88f8f367689c0b99376c506dd024ad3338593e3b289e5e39e89034cc4ebdbd6

SHA512
ae7eb69702191951d722f06dabf836a0f340c17982cee808305067acc291087eae9750f51a1f29f446e7cdd9e386fae6f0c5f0c532448b8743651222885df41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d7e4cd084f497c920adc2a2f5d31035d

SHA1
52f01be7fdc7b956bf81a0c0a29511dae005b646

SHA256
923c0e7490d2a9291977e2c12da7ead82c099b35737743462038e33bff0af33b

SHA512
d54daf3eb4e672757a4831beaa3fb1a947fa780eaf25d23bd7630b99ffddcb78c95461788e94389b44f1894d9c6afda1f5c53f68e8281a8b2330103e5c5a6624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b1f1e797f8092e62ac1ae3aa16892491

SHA1
99f16744af4c10cc321a87f38d9b6ed649dc86f7

SHA256
722d5aa16eb87697d68bfca27368c45a439e81d380d3520cbb3b578a31e68539

SHA512
907f4b10ff20eb2c53258e2a34d5a3f86be2c8f6e982b8b7ba0c869e39f6031ecffa7bcbfe2384c5ff1ecadb1ccc95d8d62e732caf332a6a42f8ccf6debdad1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f0aa68890545fb598372e2dd93581db

SHA1
1995d1c288d652e460ab26ed89257775c32ee2e5

SHA256
b17f47d3b2a9fe7cea0330d27cfa576b7ce51badd395d21b126c55e0aff93527

SHA512
1192e1d6f8a0f3b3cb85623cc47eeff7b7f83c8c707a7ecb8cd6acf0f5bb18340b7591dcb31c9a10ba4270f7160723c5ea838fdd9e8cef6558b3265faeef9044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d5015b82cd055ab40655e86a65117c69

SHA1
9deed298d08b7fbb1e6577bd0eda90f84e2ae9c8

SHA256
c269d027e82283cc061a7da720f0621e471615224bd8a0c265a7429a4e727174

SHA512
8226d1034ad26e4d9f7f328a410a6148e84aaee8c8257206cb0765097376c0a1468fcae99b2d704fcfabe2cee80b8fc010bef7f4a2cb555c63aea8df76610ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
812250ff360bb9bd1d39eb64c4146b82

SHA1
84789cc386ce2efedb8719d650787d5a2751742d

SHA256
8c1031aa1f90c3e578d11f0c2a412c6d3a92f9e3d5c65361540cac73afcdde22

SHA512
9fc1c0e44f4aabf6052513815ec0a3b8ded705f39b4790dec262780415f9756f398d138d572f9ad493a362b1f99947b02d82dd2d5de958bca592cf9175c58ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef3211593130e94c33ff4e740643fe8b

SHA1
a8c52b575dde23bdc43ae1c5f746fd3c7085aa19

SHA256
f18fc6487d1771782ae9d4d326bdb2b48540ab32a671a405e4df7bd697f5ebe9

SHA512
c97468b763164bc3e845645dd4ac65319a2cc00732c40f9cf8ba1a1aa18eeec797185d85a25b9919314aa8e9fec84e7b5780254e834003a66301976c0ad4c7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\50907543-a9b2-4833-8741-9ecb86d374b6\index-dir\the-real-index

Filesize
2KB

MD5
92f8737c1bd290e2cea27bd60b1659b0

SHA1
978302ce3489fe487674dd717f0e3714884af8cc

SHA256
9a4bb8854d5ecd96e5918cfb359b0feddf342c6557575a413a0145bac1997049

SHA512
f8613c16b0767437901283b493474a7f352986d4b8cd08b7ca4592e3c9ee16cc47cb11fa7df10f1383d8f365a2c51340a1e7365365f849102e9c342d3525d53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\50907543-a9b2-4833-8741-9ecb86d374b6\index-dir\the-real-index

Filesize
2KB

MD5
f97b1b4b9c407dfd957aeb8b8734b2a1

SHA1
2f5d7934bbaba8057d03e28de4753b743dc165af

SHA256
102fb9f5fc5aa730ef6492a981d45b4b80e83a1d36017fe4d3566888c024808b

SHA512
b39a0c6e34a9b8f1f257cf59f6cd16698c567718e312a57994d4d7b05927391f68f7a9537a8ec182114a0468a7388cbfcc853fe3928ad95a4afca3271fa9f7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\50907543-a9b2-4833-8741-9ecb86d374b6\index-dir\the-real-index~RFe57eb5a.TMP

Filesize
48B

MD5
ac43393babeb8c28c1059c1afc2ac5e4

SHA1
65dc91c48be7cc364ccde33b219cda8d5612ec02

SHA256
04cf170bd5803f2803d0476ff21e46d1521d1d092191437f3ed36fba3f01e3f6

SHA512
96ae3e16beb2b816312ffa8fa0d64c5b7c867975a950e1954afc349733f8b927ca85b236f381a6057b96e8e05dfcfb829241d484a0fdb78f00b37a029708d1dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5adb8bf3-77be-419e-8b37-2d40e5ea86bf\index-dir\the-real-index

Filesize
624B

MD5
2ed7b60561b518af5486dad28ef453c7

SHA1
87d90d479fd714257c58b10b8ef5a070c796071d

SHA256
89434ff38600faa532acc0bcf27e1b35c95f92185ee311fc86eadb58a31dec92

SHA512
95e11babf09fe1c5c64d44422599565fdb42bb990a61d01730d78d365953e876e413501f00094d9fe1e9812637c03f433d9bf7f6a9d305592eb69e09fef52617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5adb8bf3-77be-419e-8b37-2d40e5ea86bf\index-dir\the-real-index~RFe57e1b5.TMP

Filesize
48B

MD5
287599f13422e5534b16bd944314066e

SHA1
03e0b49fe13c22b79a47d8af410327e77eca9559

SHA256
35925ab67b0b6656383ee25ddcce57a6a7fea0e03834173d9775cd3367b1dacd

SHA512
d0d122274c6b0cfe99203da6c77a3616755a691c446d6ee3685b2e1351102ca10b29c07c4713feb92c8d9bbf133557ce9f1c1ae3b983c05071904feae2871641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
4164f574b1af0072e8f84a99dbc7564e

SHA1
1341354f8323fd740fda621610e59fe410591f3d

SHA256
0d98f1dbbe472ea15d250ff316269b5c16dae005ee0e959358f650663220b529

SHA512
76d65c86f6c7683118d3cdbb28e5f2e3071b6de6bc0140cf29fb74dccd25adbc090932675707023e96a0f3e81a379471ac20ee6a048da82bdbc403d03597766a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
26654fd636431f8794b6a6b5e28a9e39

SHA1
e110539fe8fa5c82026f46014eca0b0fa1446094

SHA256
9f29f416908ae18aea9b2b93255ffce459f6da465addc7ad3253d3ff1634a7a7

SHA512
4f0d8c40c1a9ac5f9c4fe23179300a5276cc34d7a94c9da5728cdf0090522d60fe5fbb65e386534871ca18d38a29b1ce3aef235c5834613cb250fc082f830ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
e94d5c3ab1d0904e801c6df77c502305

SHA1
1502a754445f2593ae43814b245d842320f617db

SHA256
2e5ca59c71680d1842b01ed6042c7ebb1767c1b0e7f014e215964dacf275f886

SHA512
821779d004b245bfb75099370b8f234913a1088879929f550f0fa729ea026340a67178a1c7789d6c7601b167797bb61d0d29707b054712154aac3c3598413e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
a82698087faa69f10e29cadea779db5e

SHA1
fefaf4e05b0f85703dbe3dbbb5a124e6f9becfd8

SHA256
134fb926effc9cc2323fb0dd430f3af0c80cb778df67a0cab988f82a60b78038

SHA512
72ebf43a95249fe2cd97e8aba7e391215525343bba555bc20627161bd5cba9f6c9f821f83eaaf7741f9c93ca6f1f8c9130ce045f1f6542cd342ac08fcd54d653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
5e11441300a1d25718ea2659a22a10df

SHA1
7ea58363aed4e1d2e6afa00d7b2a3ea7e117f648

SHA256
f4427508d989a4220f21271ad127f69989a0263be35ea5f5b187137941c33742

SHA512
dde45e7c670d791717fb4fd6825298a173822c3eb592d4789cca09eecd4d6106b08c7b224500e9925a6de21affbb79eedf04e3742eb3f80acec05b2b9f0b5fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
2c6ec1372949a929d361832c279de199

SHA1
ba7a3ee0f47169a4e4c15f3d20b81691bf176e80

SHA256
4a181e7be683a24ce64135045fc294e9ae6f21778b3a92f26af5f69efd2f5b1d

SHA512
735e8833ba66ea4ada8c20fb2b062318e6db3bfb8e74cb0636acd7001aecedf44f72dbeab72d741036484d679e73f4e3a1757430a6547088ca19b62dc1b77398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9e28c8e432f449acdc961c2284f5c389

SHA1
b1eca3ef0d0a65a8f5376588de539893b8b5c81c

SHA256
39b1cecd973acadf02f9c37f54cef320d6497db5183a43b70afd5f5616010e49

SHA512
d305729efda62c0296b249dae76f0f5997ffafa4454d325dd65d0de4d90cc3dba91df2fcf660acc3895f49d767a56e65ee8e08f344d3ed9146e647192fc34a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d59f.TMP

Filesize
48B

MD5
a53a772651d1f1cc2ec33faa1ac6be63

SHA1
e4b61767b1b1500250b023807e7dfddb69bc7da5

SHA256
9192b1d8067d8dff66f3b06fca06ff71458eca063b2fcdf3f119179854f46234

SHA512
4af55a4ceaa6d51adeffc0d813fb135c48efac8e35011126f3df4f0e6b8528793a3c2d405528db904587fec3e722a1bfed08f9a99dc045b4935ca72564a6fd0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30d59d0659e7d9255bf5c0bb2df6d30c

SHA1
e19f190951d4488326b7382ee25a7adfcb16093e

SHA256
b76d785c14cc9a19242199fcabb78e4e2368f8f25825321d676b1bb0af2f2026

SHA512
be2bd2654318d0b54c81a5a99d9721ee237f80bf2e453dd3d74f4aa3ad1c9efe035ff387bd450a532214ade42d11c6ed80ae328c9a08e0789143610169dbd49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bb8f.TMP

Filesize
873B

MD5
51886bf2251b4ebab47f8cfe60e7be77

SHA1
b5bf5eb247cb0cfb3a8e6cce7afc7fcb1a22993a

SHA256
c8a046da94e76e72981048bbdac86dc0f62541b46285c845132d580a2f1d163d

SHA512
e49be326f8fcd1c122a0c6d383becb59c62b9469de633fc74fc605591f4e75c799a418cc753f68ec19945b64e8fffe2ae4d7028e147e26ce125d57118b8c3b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
39cd03e60c0e6546ec86f3f49a0cea07

SHA1
ad3a0b28effc179d2f50cc33488323f56be5bd0b

SHA256
6636fbcd03b7a75f8481150f873d5651b0f83cd11fbd2ff9573c3b871e24269e

SHA512
467f87c1140b1f04c7aa6e3cf14687cf6ed9b5520360afbf24b9ec988eb882dbe4ce557e014e4614265919727635d897001f2b531aabf44285ae38c63cc14342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f860dc475fe407373a66c66c16292ab

SHA1
d929634866ae545e5251971be58b0f7242b27c61

SHA256
0cf658096288329238f4c2afc8613a22349a7402a51dc740cdc192a1fb25f536

SHA512
bdbfe18b5071f8e74cf3d5b9379156fbc9babf0cab617723d30d47e76ae4422d3b5176a2417700030c8f08f6b571b359db45439978ad3b6700f176a0038fa862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5a3ba4ffe970a5cff9b83bc1d7f9b248

SHA1
58239d74281d1a8614fb4aa193a7b740968c7b8f

SHA256
7e7b7336d35529fc2f1edea628d5ab00361bd6f2d01723a19ea86038a929c59f

SHA512
52028bb850da0bed13ad3d96d63b84522c47c32ae8851865cd2bcc8e7da59028b9fe4618ceb9c2879eeb18560dd5e19989406b75b211c8337dc7800e50828cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3d2881c32862ad9ed3f150073ef80931

SHA1
e17ec572514eeab96c6656e64d339a0153a0b4bb

SHA256
18582171f54e4fe8fbcc147b316e650511e4851f17022adbdf6f7b75cad6e305

SHA512
2b3dc731193b1424856f87cadc3293a78434662517e761e5764769ab512a959c768d2269f11b5d8711f92fe57b898e6ebd4b530aaa52578d7ceb7e0a6b30fc13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-3.2349.1792.1.odl

Filesize
706B

MD5
668147e637238904b0bcd8cda344da8c

SHA1
65e2d8a86ff1b27a4695513733d61a7cf9a5fb75

SHA256
fb5cce9fae09bdd71cb0485a09c32b5cb452703aaf6f579573d758470e86288e

SHA512
3adf2d13aa9a7b3457d5f3e1223dfaac25f73a63d3b34676a4d2594f431af3f647f145acc80586744c7c8c6656b6b5bd749e2208b12d45d433f16c8183eec887

Download Submit