hxxps://google[.]com

max time kernel
214s
max time network
212s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
13-09-2023 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://google.com

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133390793088975988"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = f15ae12538e6d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{68A6E9F9-82D7-4AF8-BB1E-E444ECA7C930} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4555533538e6d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 10f34b3438e6d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d3767e3438e6d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c24b1e2038e6d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2398454716-3289288241-2843025796-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
2884	chrome.exe
2884	chrome.exe
5236	taskmgr.exe
5236	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5236	taskmgr.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3104	MicrosoftEdgeCP.exe
3104	MicrosoftEdgeCP.exe
3104	MicrosoftEdgeCP.exe
3104	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3644	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3644	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3644	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	600	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeDebugPrivilege	4580	MicrosoftEdge.exe
Token: SeDebugPrivilege	4580	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeDebugPrivilege	5236	taskmgr.exe
Token: SeSystemProfilePrivilege	5236	taskmgr.exe
Token: SeCreateGlobalPrivilege	5236	taskmgr.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe
Token: SeCreatePagefilePrivilege	2884	chrome.exe
Token: SeShutdownPrivilege	2884	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
2884	chrome.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe
5236	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4580	MicrosoftEdge.exe
3104	MicrosoftEdgeCP.exe
3644	MicrosoftEdgeCP.exe
3104	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 3104 wrote to memory of 2576	3104	MicrosoftEdgeCP.exe	74
PID 2884 wrote to memory of 2408	2884	chrome.exe	79
PID 2884 wrote to memory of 2408	2884	chrome.exe	79
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 2240	2884	chrome.exe	81
PID 2884 wrote to memory of 3864	2884	chrome.exe	82
PID 2884 wrote to memory of 3864	2884	chrome.exe	82
PID 2884 wrote to memory of 2784	2884	chrome.exe	83
PID 2884 wrote to memory of 2784	2884	chrome.exe	83

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://google.com"
1⤵
PID:4456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbcf339758,0x7ffbcf339768,0x7ffbcf339778
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:2
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1884 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3676 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4608 --field-trial-handle=1856,i,15836354654780569210,7234552622726800877,131072 /prefetch:2
  2⤵
  PID:2680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3824

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
24be8a92460b5b7a555b1da559296958

SHA1
94147054e8a04e82fea1c185af30c7c90b194064

SHA256
77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

SHA512
ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\9725596c-89bc-4100-a188-7b013c19b87a.dmp

Filesize
805KB

MD5
b366d0c7238cbdb1d3684714df516fd4

SHA1
c3a5f47c81089d2391210fe00593b3040a5dd59a

SHA256
46535291d67d4f2e8cbba73635901619a31e5d27826de89850ce0ec0a9ad70d3

SHA512
9364b8a662bcbec4cef009c94cae649dadb7cb22948b6354f0ffaab3960129ab5218901cb4a43dfb7e8f9233fc57a547b10b1721edad5e3e9203aef9e5d99324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a3b238a2bd92e092ca1ed987be5ec5c2

SHA1
b7026b6d5cf28232fb31dbb297a421463bd3eb7d

SHA256
09576755bf265ca16205c36f4bdd3ae2135a10fdf2b961e7fae13b1a85d4cc41

SHA512
22da3e578ad3eb2054c12d69193767be43ddba8e13f626155961243f7636360b3d27c08db08e900af1872949cf8a743d04f7df8edf4b1ef042893f850a9e3878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2d9b3a9726a3bd9c5dd137e241b541c7

SHA1
aa0f426bc01a0d225e9f81a1c061153e38afe684

SHA256
40bf19379ffacb05b4f838b1afafbc98b467fd74cf421a806009b4c340e2b994

SHA512
c3f04b1984ffe83b8bbca7c54b72e63543fc260545acacd8e215275b2ca2d9bb68985e2873513d5a17399fee0b4d1c0eb52c276948a4ea34a29de6567e7a5f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
adb81b3a604d04228b8f41620fc79c86

SHA1
a4f749ca5104d4e6ca2db79e1361dcb8bd021862

SHA256
e042d3b37d698333f517f83df182813b790ad61783c1d4d6f4d74ab9004d36c7

SHA512
14ab8b4e23ad242099cab658e04fe8c484b1d643997f2eee8a427bc42b8166f140b7bf65854d4fb389b140a88260f7900d08efc48c13465b2ebe89ce1d4b86cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8acb07ce1bcbb2990d69dca836c76fa7

SHA1
0e8c518476c319c015e9cb488eff2872a43e9c71

SHA256
eef9518fae18aa5e8f4d19ee761bf5c1b44a2c7fe6686727ffc4b4e779fdc814

SHA512
f1391a458ea916e3b04ed0558a92d1d0a5136fcee32253a2dabb145126c22d2ac0123e9a59c82ee32253b0e0a305ba7b42a09d1ac63c1d79e2268c9b9b8bf09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
128aa4e0216e75a4ff9d17bc6199ebe7

SHA1
cb31fae181b8ed2bd9da43f21df3db7ae93dda69

SHA256
0ad5d7e1add1a310d056237de59f673fb63bdeeb02f4322b566fa0d4945b89f1

SHA512
44ad444855bfc2a49f0bdeea405e091545e2093eacb4c5d100690fba56dda6347b343ad87214b9498b17d3d41ad84b727c7a7551eb3245e24ec9a8a4b1be4f31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ebfb5352578689337c789ea0e1f284d0

SHA1
390c669468d5e3cc514d55219b9d812552bdc7f8

SHA256
1e425874153b8b5b514a2ea1bb159529cf244b4cff6617c3acbcb4fc39d1dc2f

SHA512
856bd27b8ab5a2fa9886da12ff1ee4f28dffb7ede974f176c76a19c6fbe845aca81ff1a2d8ee8e3dc9f3d3bd61e52dd141595509daf2b668b2d2f89db9a7f87b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
33e5a1b45f384016afa3a7daa9bfdc7e

SHA1
7fd01bfe6899a26b34dfba869cfa8745bcb2afc9

SHA256
4d4e023211a3fcba2d7019955281535a738ba1f9673ceaf3eea117cb9f4afa63

SHA512
2cfbc78315b332b4fdb6c56afb4f4dc7516016c21e68fce1980fbb26a1393a579d3af4cfd3b987312fc508ae544da6e807ea5fe5250975e54702192adb847b74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
98KB

MD5
88ed083bad963202a91df806af4cad1c

SHA1
51e3fb63a4a64704c74529d0869788c94ef1b063

SHA256
d6c6b997dfa73340e9f52ea38e960b314a88aa8986fd0d3b3d82bcaa68492d65

SHA512
02f9a75506c95ce39666aeae2652ddf66558efb42092029ec23a779f71e3adf5383b55c622c885ff559a3f0fb9baca491b5e7e3696f85a9a91c368190cdcbe4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
0eee5573860c6879c46c706e39018c33

SHA1
bd633d80e70a702abd1f940f15c6e6fbd9bf44e3

SHA256
71f7251981c1b42ee82af6b9502386d995c6f139f0806491a2957181c48be61b

SHA512
c8fd33d5b1ce00976c51c7c022b543bfa95492eab8f444f1f6ec38b59f8e1b2b95360c5e5a50e23333b12a4523b4058eb104e89f1debb1cb24155970394f6ffa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
213KB

MD5
905bd0b0602df9a46e267b79c26dcc2f

SHA1
2417e2a5a5cd391f273d46f6aeba8b804e37b468

SHA256
aca2743d2973a7aae8cd16073bd3d6efe2f3305ff7a91d183c678923e447b627

SHA512
0ff562004715efbc79e81b9e0a18b2f32f5aafac15629b807ba9df5c26f9357a54d5b2cb8fb192e68c01146c0d9f62b0b866ed3ee8d7a4b3c0e894d5ba82de85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMAQ31I9\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NOUA9EM4\m=_b,_tp[1].js

Filesize
178KB

MD5
17db8bc0158d5e96a3914b8e208d35fc

SHA1
19918440b239b79847a3df1726b5442d67c48e20

SHA256
32314db0d3aa698d9cadefd22c84607240d83b99bdf3ec2fdee80b4240d14154

SHA512
3b1c51781f51fb175dccae4f73319033e231f14a7ea73bfb26b33d006b779918f031c3ca29a66cc0bdc9b07b1639ad3108227690529582aa1379bddfd914a662

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NOUA9EM4\m=bm51tf[1].js

Filesize
1KB

MD5
00cd73ad84c2045efb46ca4c63335312

SHA1
4b3430138a6d1667aab6d5d9266399e6a2454dd5

SHA256
ef27457f05ee39d3f63ae5ac884e6c7f7c14e82591c31babf52e45a7391dc743

SHA512
6f877f9ba933fa9104dd3b6322d393c846fde39d49bda03c679acc1790c2c5a178ffbe741dd113a65df1afc83d42bfdf98813c24622280f60abde456bd3d5d3a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWNF5NOJ\m=RqjULd[1].js

Filesize
18KB

MD5
4b20a4ad1e04135c2b618fa7e842b0c3

SHA1
497f7092a246f9f0654674f55f484bd3b4e8b7f2

SHA256
ece0aaba67570868a1fffe03276cff7f332b60082a70055d1927e007982ccc5c

SHA512
3b76c45178845788e8de91b5e4b173a88be9ec437adfeea8f135d2ca3f74dfca04e2f48f7374eb1cb6c9b4b3c2c4f0b90a1d6e1ce54709d1bc74f7b6ab2b22f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\H1LU1BSZ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
memory/2576-122-0x000001FD4EA40000-0x000001FD4EA42000-memory.dmp

Filesize
8KB

Download
memory/2576-228-0x000001FD522E0000-0x000001FD522E2000-memory.dmp

Filesize
8KB

Download
memory/2576-335-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-336-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-337-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-338-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-339-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-340-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-341-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-342-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-343-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-344-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-345-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-351-0x000001FD3D580000-0x000001FD3D590000-memory.dmp

Filesize
64KB

Download
memory/2576-237-0x000001FD522F0000-0x000001FD522F2000-memory.dmp

Filesize
8KB

Download
memory/2576-240-0x000001FD523B0000-0x000001FD523B2000-memory.dmp

Filesize
8KB

Download
memory/2576-208-0x000001FD52000000-0x000001FD52100000-memory.dmp

Filesize
1024KB

Download
memory/2576-76-0x000001FD4EC20000-0x000001FD4EC40000-memory.dmp

Filesize
128KB

Download
memory/2576-83-0x000001FD4E490000-0x000001FD4E492000-memory.dmp

Filesize
8KB

Download
memory/2576-135-0x000001FD4EA70000-0x000001FD4EA72000-memory.dmp

Filesize
8KB

Download
memory/2576-91-0x000001FD4E6B0000-0x000001FD4E6B2000-memory.dmp

Filesize
8KB

Download
memory/2576-118-0x000001FD4E820000-0x000001FD4E822000-memory.dmp

Filesize
8KB

Download
memory/2576-115-0x000001FD4E7E0000-0x000001FD4E7E2000-memory.dmp

Filesize
8KB

Download
memory/2576-110-0x000001FD4E7A0000-0x000001FD4E7A2000-memory.dmp

Filesize
8KB

Download
memory/2576-103-0x000001FD4E780000-0x000001FD4E782000-memory.dmp

Filesize
8KB

Download
memory/2576-100-0x000001FD4E700000-0x000001FD4E702000-memory.dmp

Filesize
8KB

Download
memory/2576-95-0x000001FD4E6E0000-0x000001FD4E6E2000-memory.dmp

Filesize
8KB

Download
memory/4580-0-0x000002AEE6D20000-0x000002AEE6D30000-memory.dmp

Filesize
64KB

Download
memory/4580-171-0x000002AEED470000-0x000002AEED471000-memory.dmp

Filesize
4KB

Download
memory/4580-172-0x000002AEED480000-0x000002AEED481000-memory.dmp

Filesize
4KB

Download
memory/4580-35-0x000002AEE7330000-0x000002AEE7332000-memory.dmp

Filesize
8KB

Download
memory/4580-16-0x000002AEE7100000-0x000002AEE7110000-memory.dmp

Filesize
64KB

Download