0384750607deffb5a41a559dc3213c6fe63142c06f494987ed2183fa8045c0db

Resubmissions

16-09-2022 19:13

220916-xw7t1agdg8 10

16-09-2022 19:09

220916-xt8zaagdf7 5

16-09-2022 19:07

220916-xsnxqacbgk 3

Analysis

max time kernel
161s
max time network
161s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
16-09-2022 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document#851980(Sep15).html
Size

711KB
MD5

b5f297c838ea8e0311f0ffd7ae2de97d
SHA1

268d48fb52b4e58077c93dd44a4579b80bd76b03
SHA256

0384750607deffb5a41a559dc3213c6fe63142c06f494987ed2183fa8045c0db
SHA512

d6ce008bae11121cc439fa832096fbe41f48ebe3f316ec12c75874104400f9352fde478ff836779c005fed9550fea425cf6988f9d6176a51c94505f07b954a2e
SSDEEP

12288:zYcg+MduTLzsQ1ICbDvUGchAGl0gdgKxv:0n+MdyHDICMhlPq0v

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d8bcd69a5bbed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984704"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "141538161"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984704"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32DD80B7-35F3-11ED-9424-EEBFA1E365DD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0088790900cad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "370168979"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd801100000000020000000000106600000001000020000000b5e7306805dba733b72f6cfadbee08c9285bee045e3f548d4393119d763f96cd000000000e800000000200002000000047e671cec2631eb7489cabc60d382a9028193c43c0fd6962c66a4861e12e432c200000001b184a3f0cc5cce21abdf493709872d99b7c508d0be1bfa0e096023b483fab9940000000cd19ffd603bee3f794ad5d2e6f2fd3e5d3ce56c7cbb9ae4336ca54e1e7f1d244718b539e366863cd70c3911fcdbd8bcf10a515f875a0aab46848c720b018a2e0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "124295956"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370120392"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30984704"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd8011000000000200000000001066000000010000200000007006d8cd1938434806d8ae392662153c8975227f9faf1176be77e8efd995ddaa000000000e80000000020000200000008abf99ef933732496d7844416a2c01381dee215969ff472b5445e177a60c0001200000004de23274f1441097b69dc6e17028604e869a661f7b02dacf95cf13f22bd2479e40000000a0c4bac73b96b73785bc1da19db5050f34915d92500c5b51f2da0b47d9564fce9b0505ed46a2af8835d032ffa75d3dac8cd368634123e941e57678ff15ea3e96	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "370136987"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "124290535"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b8870900cad801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\msn.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = a5314d0800cad801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "745"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FirstRun	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\msn.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "43"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "551"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\msn.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "612"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7dde1f0600cad801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 7bef3f1b21bed801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 80473d6532cad801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "1418"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000060504c7b02782cba82b3ea7b3db1611ae975672c4ff697075f327d66394b5f48f3da61a1b9e37917668c9ec1e30a29dfd93963ef4b81b488fca	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.msn.com\ = "16"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\msn.com\Total = "758"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 499ad30000cad801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.msn.com\ = "46"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "370137004"	MicrosoftEdge.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4580 MicrosoftEdgeCP.exe
4580 MicrosoftEdgeCP.exe
4580 MicrosoftEdgeCP.exe
4580 MicrosoftEdgeCP.exe
4580 MicrosoftEdgeCP.exe
4580 MicrosoftEdgeCP.exe

pid	process
4580	MicrosoftEdgeCP.exe
4580	MicrosoftEdgeCP.exe
4580	MicrosoftEdgeCP.exe
4580	MicrosoftEdgeCP.exe
4580	MicrosoftEdgeCP.exe
4580	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeAUDIODG.EXEMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3896	MicrosoftEdge.exe
Token: SeDebugPrivilege	3896	MicrosoftEdge.exe
Token: SeDebugPrivilege	3896	MicrosoftEdge.exe
Token: SeDebugPrivilege	3896	MicrosoftEdge.exe
Token: SeDebugPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4772	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4772	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4772	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4772	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: 33	1556	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1556	AUDIODG.EXE
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5104	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5104	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3740	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	3740	MicrosoftEdgeCP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2484 iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

iexplore.exeIEXPLORE.EXEMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
2484	iexplore.exe
2484	iexplore.exe
3292	IEXPLORE.EXE
3292	IEXPLORE.EXE
3292	IEXPLORE.EXE
3292	IEXPLORE.EXE
3896	MicrosoftEdge.exe
4580	MicrosoftEdgeCP.exe
4580	MicrosoftEdgeCP.exe
4772	MicrosoftEdgeCP.exe
4772	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

iexplore.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2484 wrote to memory of 3292	2484	iexplore.exe	IEXPLORE.EXE
PID 2484 wrote to memory of 3292	2484	iexplore.exe	IEXPLORE.EXE
PID 2484 wrote to memory of 3292	2484	iexplore.exe	IEXPLORE.EXE
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 3740	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4580 wrote to memory of 4772	4580	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Document#851980(Sep15).html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0708e559410e8dc68f3dd1a7622ccf08

SHA1
ab4cfa91b39bd11461edbf133d889f04789afa1e

SHA256
ab31d03e4e5401bd3df1c339982d79631980777a9d7d4d49c694ee6385a5b30c

SHA512
76f45998ef092b990edca0b010c37f213571eeed419393055bb8fbbfe11818b45b2de1719436a6236e0b8a2bcec1bcb8b1cfa621b74e7e6088db2219afa66b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
03c485b000ff85eee0d98ac1a164f104

SHA1
0fd733d6025657db643a53410575d2e36a124735

SHA256
3425c13f8071db8a6e14d99cf473d23644cb19f848c82b43306eed2e9992edd7

SHA512
16b85179953b05573c254dc922ff32f392e47558871e0cde3a2b079cb98c42fa63ffc91fd267cff3f99ba87e43162a1a6a29c981252d4501255634e29a3accf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AHIW4P9K.cookie

Filesize
609B

MD5
b9c8682963d6c395095d8695a58c679c

SHA1
c09cd36702c47a2007743172357a18d365abcb7f

SHA256
435bc1ab89ac0378bbe3e479dc7926e6c84e46ce8b83e44eca9aea4023a8aa57

SHA512
4ff5ec17f6bc2c22164cedff56515923ea4cf484348c092ff37a118b9e8ee9c313f7b8ad430ab419f7771fb88854d175469c3c66f7b8128cb5df0f8bba665484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\GR7OH3UA.cookie

Filesize
610B

MD5
f6437d50ca9e3f74802512bdc96435fd

SHA1
1cd9841da6538f8a095b2349aecc243130717880

SHA256
9be0f28fcb2cfef0b035baba604314e75626528c71ad0c20595690e79a483990

SHA512
bb07b913b4e7599025f71aba9abd3ecfbb3f834eefca0c07ce5035799866234e577bdb13d6ed3b476d722d3baf2cb1a07ec564405986cc65ecff70d9b1eb7241

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
8e8df612036e5bfbac1933ba916721b3

SHA1
c017ae04863e469cf3b0b116fe428d0b3132e7db

SHA256
a02421a96825229991036af9d785f20991bab49e8f40c463a74fa0fe79f10cc7

SHA512
70b00eae51dd1b49bfac3953a1b191a8eb1c4914ad64f823db2620c8029ac02c4f6d631b13a807f97f5bed1554773d216ddd6ec57cfa4dff79694a3ee8fb5313

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
36e4e0934c79e99d7c510d502bbb41da

SHA1
5294e5f5e71d3fa4ced92fc496872926998f4de8

SHA256
876c5a30be1786573880930085d24446975b8e13c161bf6dd21c772612546baa

SHA512
d538c428406620239a0cd9e173b79d29c71de540aadaefd848cb428690636e2fa774f7d887fa6b51df5543e0147573a05fcfbb1866b327983db96562e2689126

Download Submit
memory/3896-121-0x0000013758F20000-0x0000013758F30000-memory.dmp

Filesize
64KB

Download
memory/3896-120-0x0000013758E20000-0x0000013758E30000-memory.dmp

Filesize
64KB

Download