redline | 87a7b8a96e23c4877698d665dcce69b7ef434e86fb82610193b9a1d503c02fe6

Analysis

max time kernel
149s
max time network
146s
platform
windows10_x64
resource
win10v20201028
submitted
10-03-2021 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1adbb0c6365fbd5055f234acd6bfd01a.exe
Size

882KB
MD5

1adbb0c6365fbd5055f234acd6bfd01a
SHA1

5aae335d0716f476ca2834d6433eae822ff1d614
SHA256

87a7b8a96e23c4877698d665dcce69b7ef434e86fb82610193b9a1d503c02fe6
SHA512

8503bfbcbe7fe620fe87592abe32f0f31fcc82c18d88073b33b8a1f2ae465fcf10d50bfb5e5ebb3f4638257238a05a4a131e62da7726eef4d2b0e752d20b5b43

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4296-16-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/4296-17-0x000000000041F3A6-mapping.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

pid process

2764 3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
4296 3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

pid	process
2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
4296	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1adbb0c6365fbd5055f234acd6bfd01a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	1adbb0c6365fbd5055f234acd6bfd01a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

description	pid	process	target process
PID 2764 set thread context of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileCountryCode = "US"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileVersion = "10"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 4041a7368a15d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesVersion = "6"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000e510f7a915406dd59f2e20452eefb6483d09148b19a708cd7a09b7da562ef72acddb84b25e7f61c6a190ea10820b8f94c0fa3ca1d06182ab10fc	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "322200847"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 10d71288bc15d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "322131079"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000007ae6870e545335a1dc38a84077048e975a2d1100a80e1a18c956b8cf6fba628c83dbc3c33f94af4d02162f77ebf8dd3aa25df26964524eeba3be	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{DB0B0F62-BA42-43B4-B514-981D8A40E6B8}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e22bd8228a15d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

pid process

4296 3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1adbb0c6365fbd5055f234acd6bfd01a.exe

pid process

3888 1adbb0c6365fbd5055f234acd6bfd01a.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3868 MicrosoftEdgeCP.exe
3868 MicrosoftEdgeCP.exe

pid	process
4296	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

pid	process
3888	1adbb0c6365fbd5055f234acd6bfd01a.exe

pid	process
3868	MicrosoftEdgeCP.exe
3868	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

description	pid	process
Token: SeDebugPrivilege	2056	MicrosoftEdge.exe
Token: SeDebugPrivilege	2056	MicrosoftEdge.exe
Token: SeDebugPrivilege	2056	MicrosoftEdge.exe
Token: SeDebugPrivilege	2056	MicrosoftEdge.exe
Token: SeDebugPrivilege	1560	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1560	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1560	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1560	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4168	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4168	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4296	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2056 MicrosoftEdge.exe
3868 MicrosoftEdgeCP.exe
3868 MicrosoftEdgeCP.exe

pid	process
2056	MicrosoftEdge.exe
3868	MicrosoftEdgeCP.exe
3868	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1adbb0c6365fbd5055f234acd6bfd01a.exeMicrosoftEdgeCP.exe3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

description	pid	process	target process
PID 3888 wrote to memory of 2764	3888	1adbb0c6365fbd5055f234acd6bfd01a.exe	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 3888 wrote to memory of 2764	3888	1adbb0c6365fbd5055f234acd6bfd01a.exe	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 3888 wrote to memory of 2764	3888	1adbb0c6365fbd5055f234acd6bfd01a.exe	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3868 wrote to memory of 1560	3868	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
PID 2764 wrote to memory of 4296	2764	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp	3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp

C:\Users\Admin\AppData\Local\Temp\1adbb0c6365fbd5055f234acd6bfd01a.exe
"C:\Users\Admin\AppData\Local\Temp\1adbb0c6365fbd5055f234acd6bfd01a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3888

C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764

C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
"{path}"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
MD5
b4374d21ebb16da6b2900a4959e46910

SHA1
13c11a3abc2c5c930a46449637c79067c07501ea

SHA256
3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13

SHA512
e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39

Download Submit
C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
MD5
b4374d21ebb16da6b2900a4959e46910

SHA1
13c11a3abc2c5c930a46449637c79067c07501ea

SHA256
3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13

SHA512
e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39

Download Submit
C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp
MD5
b4374d21ebb16da6b2900a4959e46910

SHA1
13c11a3abc2c5c930a46449637c79067c07501ea

SHA256
3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13

SHA512
e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
memory/2764-9-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/2764-8-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2764-6-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2764-10-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2764-11-0x0000000004ED0000-0x0000000004ED2000-memory.dmp

Filesize
8KB

Download
memory/2764-12-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/2764-13-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2764-14-0x0000000007590000-0x00000000075FC000-memory.dmp

Filesize
432KB

Download
memory/2764-15-0x0000000009B40000-0x0000000009B6C000-memory.dmp

Filesize
176KB

Download
memory/2764-5-0x0000000072950000-0x000000007303E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-2-0x0000000000000000-mapping.dmp

Download
memory/4296-17-0x000000000041F3A6-mapping.dmp

Download
memory/4296-27-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4296-20-0x0000000072950000-0x000000007303E000-memory.dmp

Filesize
6.9MB

Download
memory/4296-23-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4296-24-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4296-25-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4296-26-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/4296-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4296-28-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/4296-29-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4296-30-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4296-31-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/4296-32-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/4296-35-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/4296-36-0x0000000004FE1000-0x0000000004FE2000-memory.dmp

Filesize
4KB

Download
memory/4296-37-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download