hxxp://tiny[.]cc/verycoollunar

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tiny.cc/verycoollunar

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{7C81D784-AC70-4958-A0EC-507A26CAC73D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
4444	msedge.exe
4444	msedge.exe
4784	msedge.exe
4784	msedge.exe
1536	msedge.exe
4868	identity_helper.exe
4868	identity_helper.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3220	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 3248	4444	msedge.exe	83
PID 4444 wrote to memory of 3248	4444	msedge.exe	83
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 1472	4444	msedge.exe	84
PID 4444 wrote to memory of 2980	4444	msedge.exe	85
PID 4444 wrote to memory of 2980	4444	msedge.exe	85
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86
PID 4444 wrote to memory of 5004	4444	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tiny.cc/verycoollunar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc603146f8,0x7ffc60314708,0x7ffc60314718
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7662400993681297377,13187843371089594633,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
32KB

MD5
eeed3865918f5f4f828ba620f28ad872

SHA1
1a9c62fcb83b3b07e93bb4598e26fec821ca8729

SHA256
bd990ace13afd11503454ac99b3795d6d10d71f22f2805feb6566d2469c59a4c

SHA512
ada4f8269e3984782b3d5ab29cd5655636f431073266367fe9d602e338a208aa359a72ec3145e3131eaf1ffcd4a5154dcb1e7d9a0aec989416fe0293e13298dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
32KB

MD5
c3a6cdab067beb2f78014e56210ae536

SHA1
bd117962b45336e96e576c6243009e602d09ee47

SHA256
e605878123ff1aa07ad7665de4fb689d90ac89e2cf51e91428324d213f540ba0

SHA512
7fe893fedf95ec495216ace819e096448b544c32634c948a634e4e793b7ebc6d7740d7b739343412eb7af42604c9ba37deeadec016bc3caf286166718358ba14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
59cf8b2f95657ab72158036ea9b0163f

SHA1
3e15d647a12adaa2589752faedf3472d4ca13ef1

SHA256
08e4c6614d15d1e0f2150ac400e2a90d2911b03be0715ba468627b26bd5c0651

SHA512
54c2a6d8fd148c6dfba36e8d94d4646f96ab3d8e5b87d5690f8cb0918f5e88a2305d1a12d0198505cdc3ea810728ddf7797ef44d3bff19a0883a87cbe8b4f8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
cfd56e351b3ef86262c5a83565d5213a

SHA1
ecf1b9b18e89bedf6464c1f00f5032c5346a08be

SHA256
4d89eb3e381b21af06f25b6f8272cbfae18474891039036080af203e1400882a

SHA512
383cfdcd4687a7b751bd07cc5dec680b75901d58c7eb2ad8d67589b4c4a1f53d5ecca63594ef75ba21d2faa6608217ead9aee1b7b947d8ba4de5faec5c4922e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d398cc070780855c97938a88725b4da2

SHA1
9f45e71b0744a2014905ffb9f7d1118e3188716a

SHA256
de362dd8ffe42b8b27fb256b2aec9468e510aff043f90ffc2321472907670b88

SHA512
a2573bac155617c6748dcf7a3002c4a324c1f174e0cdad5b381ea66f7c6dd28399437cab1b283dd9d5d73af91aefb4a1fe08fe421919fac542ea2e0ea3e273c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
93b74c1f74b72706b12a2c72781b4307

SHA1
14046a10ee61eaffa10bc5c764546190b4673c93

SHA256
cf6f8708fa0ecabadbe69724e655712d6d591929124a4761e5121d8b3c5a25f5

SHA512
cbafebfabd73024a1efc8b27d2d180c68d869ce3397b32b6ac3c9e0c21b56c5c05edfe476fb991baee2787063e7a1491c85c281d8caf0ff333a15a362b94a4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe448472dfc0d743ad6e4c60844d50f9

SHA1
c7cf4fef56b938777189b05c0d87a45e86fd1f2a

SHA256
d1d589b259274247adb637f57ff50d20cefb02ff7a17bb3eb98e16479fd29eac

SHA512
0f44d391c97e692c4cd45fc594c806f1efcfcbd100c16a8bdbb6e368355e27a0622dab15ba5c96f941b8db7a8f0ba6b15bb21e8bb75d1e3fee8a5a22b65013d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5ce65bd9f79b0b2baeb4f06662a6140d

SHA1
beb5a0a228d8a5c8ef353ee5727255559b8c3d02

SHA256
75984d8ea2d44a2513d392fb96d2717b051622f528dfaa1084b2250249b7e9e3

SHA512
82a34e9d9d3626affedb0a1801a2ba59493cf91c243adaaff8a29165561d94c7631c92473cc3fef01376018ba0bf315ab45fe3768698152646f447cde6785180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7ed87ab56f18ac2bcb1e597363564ca5

SHA1
b99d4f2b5c4c1e8df5fcd0ba4573a0a26fabeaeb

SHA256
cfe631f085095796b13bf24a273161ea9c49b578ab19a2be1fa287b49fe36bcf

SHA512
b443f9150cda5bbee72922010297d108c86467826c188359610911c4f7dad5301cacdd725e0aa6c346b11237258996bd2d08bd2f92989c6b8d88aefb58282816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\48f9803c-3348-4b04-ab61-bb989a7658f3\index-dir\the-real-index

Filesize
624B

MD5
d6f37f809408c69aca5bf259fb465974

SHA1
9b6d27e89e44138a8aede31ee7d55992c3589e42

SHA256
9690f4373917cd306aaa386b9bf698a637cd5de5df3968517eadda58934564b9

SHA512
504619a90c1a685dd63bd07ac3117025e657614752f2123b757ddc21ad46d7c9ad089028665fec56ce6e06029c802de89ec0c28acc93262bbcfab28ac6e8611c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\48f9803c-3348-4b04-ab61-bb989a7658f3\index-dir\the-real-index~RFe585966.TMP

Filesize
48B

MD5
2a7d3baaff21e503593cc699234085ff

SHA1
ad989c3a575fac8fce337ca8be0894537cff2069

SHA256
325def62a9880e80effe3cfb01dc5c37ba9d6afa39c5ecc2058ef93af4716ca0

SHA512
cfd161eb54bc57b89f98b7163a4051670fcf98d5189eec51fa0197111474d336aa085e953ce743466fc61f2d44e8809ee437eb6f19a1664203bac870e92a4b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a61dd5da-97c3-411f-8c16-cce81f1c2ca8\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e509b76f-a22b-42f5-8241-c0703a1b9020\index-dir\the-real-index

Filesize
2KB

MD5
634501f2625d70751dd53e03708fe040

SHA1
3865ec2c48c705f3fd92c7202c12e346d613bfd4

SHA256
39650c3073fab861aa63a4d1f801e8a8ec76352893b483a0c0aaa8887db82943

SHA512
1faa4362aed0f415f5212f33d7ba81a42a83cb125f4929911a79d4ae133aea87d24369330a1f29693714f4099158d3753afd90d4b2a1ecdbc028003c16b87b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e509b76f-a22b-42f5-8241-c0703a1b9020\index-dir\the-real-index~RFe57e242.TMP

Filesize
48B

MD5
f9ce7535e9d73b8adfd15c55740e5eda

SHA1
e7bc459410a7cdbbc2088ddde43e9b95b86e0b78

SHA256
b32f334a39b31595198c9e9c162cb38aeda57a44d7d0c819ece18729ffd1f6d7

SHA512
975d5b83be158049327f1f8d706cc53661f88d912f785701ca12f712aabe1a1b1631b9d5d80dbe3599a329417f817d00a3af275d903f942c7f316ee5c79ced79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
2c462c2602222876a58429b728c22279

SHA1
70031b44c091bdde547c9e868f3081d5872fec1a

SHA256
c70209c2d81a015c8c6f918893bd762c2adb737c8094d2d5664f71dea9159ab6

SHA512
102849c3315023dd91b8d401d513e8a55a5767fe6fa9e475d3fa51a92374af4c868bd4f9290c26118c97edbea301d8f683495db52062c5333d08f938c3ffdde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
71818d65d93553cd585151b33b6f69eb

SHA1
bba34ecd453ef3c5ded93021f665eea5e7e1e0ac

SHA256
640989d9c3b228a697f164888f2bb80a5ac1fe6396f02d30dcfda47f48c34461

SHA512
9d161868499561c1f766192d46282bc0f716b806ee4416180bd59292f56847bc8bc8654b146178641280f782c77d4d67abb7ed0783585a21e3ad5bce03de675e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
027ffdff2049937f69c906b4d6053788

SHA1
d4c5e858dd6f24b1c3fe44bcc96dba8d69ed63d5

SHA256
8dc11668723efcf62532ee1e097affb8458f634428e1062f1431dc780380c5c2

SHA512
6680cb4ff9d6303a0b8b051867cd919fad79129bb60eb8055c242e374da96a3a9545359357b6a8b50e01b49aa597f5b30745540b512542c457307fec2ac07beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
65ebf5eee6363ffc397be1dedd2ee80b

SHA1
6434163f08a5508be302542a46bf13a4e0ad9d5e

SHA256
ae0279ca324c8ec3faa05dff1d3d1185aeaf74314b722d0a55ff743d8a7c5c4f

SHA512
a768c92b5ae3156e5ac8f947cb435b0aee50e519af2fd2cca304258fa5447f0940753eaeca17458a52199d46597037d74dc22e0f540c3a7836ecbefc1be592e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
b8ef06f12b85db8d7906ece2dc66ad86

SHA1
644aa5276ef2fe54d481fc417080ec6d38d3ee0d

SHA256
3f7b0941741b616db86a7f50de3bb4195fcd55696db10d36a458a8c568f9bd6e

SHA512
733f1109ade5941046575ba5d1c0440348a4664ff5db5dc701d28e9b5a724dc8c81c27e98d7a995b7c69b0e51486f99a92abc2729a6ba85ceff31afc5bb6ad71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
a79dd96dd3b44f39a1a55f66eea470b0

SHA1
daf3bdccb1898c74a18cc08eb1112dd7b80d0e58

SHA256
eec6919711e6dfda1054e2a8538ac90cfd4dedb6ecfabdfc98d15bf57f6a3577

SHA512
1864022283f3150eb2cbff955decd4f27023f74b9d2da5777bb9740408784b7ae9ba0e98702ea9e22a5bc35ccd12ff048c4354c8f96f6dc7b4ae7920323aa4c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57877f.TMP

Filesize
89B

MD5
a465e60cd8061a8a531011edaeab0a07

SHA1
2d3770b61d89ab35662ce7af40ec0c98b5b488a7

SHA256
433611a0c8fa0d11d98327488c70e6b9761ef8d272da77d46248ed712df36c92

SHA512
a5db330153a7432faf86715b0daf2194d3a49a98af5499d60fd0bc69a7535b576e1cffeef2368640a5f8c34f0ef5a94d589da6d60557e6e5fbef34a13993a59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7fe3fb6c2144653ee3a075f1af521278

SHA1
8ce5a9e94568502b8ecb00eb0fc192fd68f71f3b

SHA256
3ad7ef3f1f60079dc28e21774580a2c98cb9029c78632a3326b656cb44d76b75

SHA512
0dcf7c8109baee1128d5201976310550d159761c63f3f9c4460f22ee2dbe3edcf000c1add0c0af5d9188b5eb34b0eafa8bcf489af9bd1d289fd03fd44e0dfad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
80ddecfca7024852a5f0b617600cec4a

SHA1
047d597b62e1c43ea7f200990ad1bbec7cf277b4

SHA256
04b23aa0bad14e1cd8d9f5f766259f5b8b777aebef472565990372159db18ad0

SHA512
4e639b5e54a5c7252975f9b19f37125edaf657101350cd1bd0460d6a20808a31f446c805a25231e4fa55981ed5a01cb27d90fced9d6aff3d7935af60199186ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d6c8.TMP

Filesize
48B

MD5
9e2a8b56cbe665b009918127d4b3132b

SHA1
d52603fae1b659d8e70a837c9e3059b97dcb71c5

SHA256
9e51ecb069187866379a9867c693fc6f1c393974a2623b30d67e7ad29fe3f2e6

SHA512
fe2807f0a75c2c4a1daa9e266fb4b13104ae028b90d9f7f61f25c5eabd1b4d1e8bc456146fcb50e49acf3f97fb14f81f5a94035ec128aae74f497d5cb511721f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9087e6872a44ef4368db4a344be9f7ac

SHA1
5388b10743d8b59c89a9f0e639b5233bd0a0c754

SHA256
79c218e0b2de208224cf8861862633b35ca5c2c3f67cb12f92b6a208474d0a6e

SHA512
50f2443c2d40a213da51e53a6526b3f687a17f775d2060821435842d469d4d162c1703f5ceee6d6800671d525d74091547371ae17f71eee9cfcac38f3ea98ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5821db.TMP

Filesize
1KB

MD5
d120338216aee19d58c0d4cbb1a35b08

SHA1
9604940d30c21d30c32bd24d4becf36c89983705

SHA256
604d76f64ba96441293c54ab455e9e9bb419068d0f6a5afe17a0a5f55c076856

SHA512
fbb12690b48c0555ab6cbe1b871f7d9611b83a62b5aad784da42c2056996ae012d1f5dc0cf111a731cd8c8920f61088f48da378581cee14a619768ac00ce449d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cd32f177af73281514677de714457ee1

SHA1
88a3ea6da2ce4bd24e982d59a0ef89b3ca5f7fec

SHA256
4136ef81deff554bffa426484a79bc830fc66d76bf2879ed7fb5df8b32b84cb3

SHA512
5647aea2f13af14bcfc1ef39389d70d0679a63712a3ca2d52900af80e9124dde3746a419278d2f3b98211b6a8d4ce6809a6d4c409881078657758b9090a38a1e

Download Submit