fa7465ff52d0725c0ce446ca4f1686a3912c5117e7e37d87c5c4c013ec629599

Resubmissions

11/05/2020, 15:26

200511-xt1564wyhj 10

05/05/2020, 23:59

200505-rl298pza1a 10

Analysis

max time kernel
151s
max time network
154s
platform
windows10_x64
resource
win10v200430
submitted
05/05/2020, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

go.exe
Size

2.5MB
MD5

f7508239b937b2427649be8f77718f60
SHA1

ae85ece228d81f1b4cc8203bab4a8a2e45c2dc05
SHA256

fa7465ff52d0725c0ce446ca4f1686a3912c5117e7e37d87c5c4c013ec629599
SHA512

005a8cb1408d1049cf7926309bc7bf17689588b8804defd99dbfced6c36795faab4559320dc71d59f5259c7858bdb032d88c83c56f6cde2e9d9f0d28f8f1a66f

Score

10^/10

spyware

Malware Config

Signatures

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2112	1164	go.exe	69
PID 1164 wrote to memory of 2112	1164	go.exe	69
PID 1164 wrote to memory of 4024	1164	go.exe	75
PID 1164 wrote to memory of 4024	1164	go.exe	75
PID 4024 wrote to memory of 1612	4024	rundll32.exe	77
PID 4024 wrote to memory of 1612	4024	rundll32.exe	77

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3968	MicrosoftEdge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1128	3968	WerFault.exe	73

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1128 created 3968	1128	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe
1128	WerFault.exe

Makes http(s) request 1 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	8	http://www.msftconnecttest.com/connecttest.txt

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies control panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1612	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	MicrosoftEdge.exe
Token: SeDebugPrivilege	3968	MicrosoftEdge.exe
Token: SeDebugPrivilege	3968	MicrosoftEdge.exe
Token: SeDebugPrivilege	3968	MicrosoftEdge.exe
Token: SeDebugPrivilege	1128	WerFault.exe

Checks whether UAC is enabled 1 IoCs

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdge.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies registry class 114 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000098090aa9fae15ccc56a507ed4d784d2fd8a9196f2d118c8137e79fe36f4153841b9fec539540357de9286df4700c2f49178eec24138438a6892d12baa48d2ef71f5a38d12d305f5ba3f9b4d35bb9dbc5412795bf4ed8468177d1fa86b3c21047b2597547b650372cab370e94051f6785b49547a9a7ad3ab9cef18bb759813e0eb8befb389b420070f2027564edddf2acfcf8078ecfa351f73fafb53da66828af81a8c3e80da51d38817a4c27e3957a0b7771d02bb25a7183ed2971bf6d19fcba7f37d90dc618d40635c0d7bcdbe65610cd1e046c59730def4b817096a03223f8218b34d9d13d07c348f24e3be0702b549520c5d3478c36d0eed5a2a1f954ceedd8c336483bb394bb123153e0f9d3c7ab6c98903b554618895947f4e616208d018e0197cb8a19f8b57d9dc30b16af09d109a4c3e0e44152269ff5c3ffaa340a285764113bb61192155156d0db3ca43f9acf6595bdeb1d5146f401c35e42326b21160c8a187c3add0d677cba913e527bbd91fbd539827aa1157c8a635cebb8d2468b182f26ae3382de512fc8cc50593e283e87a22201f9de59cfdd887b4e3bb59eb3e0a16cb0fa	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{679B7AC9-5819-488F-B0CE-DDF4C5F0FE68} = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{41DE3F34-F63F-458B-ADC5-0587EED1E74F}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 02666555f01ed601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000034df0a8d26d1ebd956876689d9c0cd353c0082481a7e57af7350f0a969f509c97db2802a4d7781c7d8344073268c8a1f4a18c0e4a6da1e8c49dc	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 02666555f01ed601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000004d3cbc7cdd5ddd3e17f5102a363ba1e225459fdd61930885a2645272debcd3b93450634726c2e97b4fe866eadf01cc4fe611b84e5cce38c138d42ce6830d1362697d59ca6edbacdd6fbcace32e7c9d3d8bb6f49d92250a969851a617	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 02666555f01ed601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 02666555f01ed601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe

C:\Users\Admin\AppData\Local\Temp\go.exe
"C:\Users\Admin\AppData\Local\Temp\go.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler https://google.com/
  2⤵
  PID:2112
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler C:\Users\Admin/Desktop/LEEME.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LEEME.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies control panel
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
PID:3968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3968 -s 3396
  2⤵
  - Program crash
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1128-1-0x00000200056A0000-0x00000200056A1000-memory.dmp

Filesize
4KB

Download
memory/1128-2-0x00000200056A0000-0x00000200056A1000-memory.dmp

Filesize
4KB

Download
memory/1128-4-0x0000020006510000-0x0000020006511000-memory.dmp

Filesize
4KB

Download
memory/1128-7-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-8-0x0000020006600000-0x0000020006601000-memory.dmp

Filesize
4KB

Download
memory/1128-9-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-10-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-11-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-12-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-13-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-14-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-15-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-16-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-17-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-18-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-19-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-20-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-21-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-22-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-23-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-24-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-25-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-26-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-27-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-28-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-29-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-30-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-31-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-32-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-33-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-34-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-35-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-36-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-37-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-38-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-39-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-40-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-41-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-42-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-43-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-44-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-45-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-46-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-47-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-48-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-49-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-50-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-51-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-52-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-53-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-54-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-55-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-56-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-57-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-58-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-59-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-60-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-61-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-62-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-63-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-64-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-65-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-66-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-67-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-68-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-69-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-70-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-71-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-72-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-73-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-74-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-75-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-76-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-77-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-78-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-79-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-80-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-81-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-82-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-83-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-84-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-85-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-86-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-87-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-88-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-89-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-90-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-91-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-92-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-93-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-94-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-95-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-96-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-97-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-98-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-99-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-100-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-101-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-102-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-103-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-104-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-105-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-106-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-107-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-108-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-109-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-110-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-111-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-112-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-113-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-114-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-115-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-116-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-117-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-118-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-119-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-120-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-121-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-122-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-123-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-124-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-125-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-126-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-127-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-128-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-129-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-130-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download
memory/1128-131-0x0000020003BD0000-0x0000020003BD1000-memory.dmp

Filesize
4KB

Download