redline | 99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
11-12-2021 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
Size

529KB
MD5

69b0537aa7c938d286c62da1aa9565a7
SHA1

b6346d3e607b1b14f33422856dc0fc6ad9315041
SHA256

99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b
SHA512

bda8565e1c8655cefcc3fb82bee676999625c065f86be475e6461be30a7fe07f58fce43f41fc816d9fe4607ec73963c38a0c87df5ce05e3d138d64e1d0404fb6

Score

10^/10

redline 777 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

777

93.115.20.139:28978

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3620-122-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/3620-123-0x0000000000418FBE-mapping.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe

description	pid	process	target process
PID 2460 set thread context of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "47"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 35e9754e79efd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axieinfinity.to	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 90b7a3aeabefd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axiebox.axieinfinity.to\ = "9"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axieinfinity.to\Total = "144"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axiebox.axieinfinity.to\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axieinfinity.to\Total = "28"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 30ad2c4daff7d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ffe85d4979efd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\axieinfinity.to\NumberOfSubd = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axieinfinity.to\Total = "91"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE6	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{7E8854D2-AC2A-41DD-A503-1FEFAAC8A188} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axieinfinity.to\Total = "47"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\axieinfinity.to\Total = "739"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3568 MicrosoftEdgeCP.exe
3568 MicrosoftEdgeCP.exe

pid	process
3568	MicrosoftEdgeCP.exe
3568	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
Token: SeDebugPrivilege	3620	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
Token: SeDebugPrivilege	2124	MicrosoftEdge.exe
Token: SeDebugPrivilege	2124	MicrosoftEdge.exe
Token: SeDebugPrivilege	2124	MicrosoftEdge.exe
Token: SeDebugPrivilege	2124	MicrosoftEdge.exe
Token: SeDebugPrivilege	3948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2892	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2892	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2124 MicrosoftEdge.exe
3568 MicrosoftEdgeCP.exe
3568 MicrosoftEdgeCP.exe

pid	process
2124	MicrosoftEdge.exe
3568	MicrosoftEdgeCP.exe
3568	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2460 wrote to memory of 2512	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 2512	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 2512	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 2460 wrote to memory of 3620	2460	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe	99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3568 wrote to memory of 3948	3568	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
"C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
2⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
memory/2460-120-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2460-118-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2460-115-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2460-119-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2460-121-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/2460-117-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3620-122-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3620-123-0x0000000000418FBE-mapping.dmp

Download
memory/3620-139-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/3620-129-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3620-128-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/3620-130-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3620-131-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3620-132-0x0000000004ED0000-0x00000000054D6000-memory.dmp

Filesize
6.0MB

Download
memory/3620-134-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3620-137-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/3620-138-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/3620-127-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download