769112f926407e338cf936922464c85b2399ca02af62a95eb95c7e83cf9cb909

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4994bf7c857ca7415457c3b6be5c58cc.exe
Size

232KB
MD5

4994bf7c857ca7415457c3b6be5c58cc
SHA1

f9adedc4b093f768e3290d3cc6e833de556c4636
SHA256

769112f926407e338cf936922464c85b2399ca02af62a95eb95c7e83cf9cb909
SHA512

15cd5786c7d975d4bdc16c63756fb244e5658db4f444ea9bc5c09b3fedc182e42813bac28a1526215c51ea3489524094d63992964969c820c0044849f0cc0f6f
SSDEEP

6144:og24Ws5OAE3axLEElbZn1xtUmQOfscBdd2sVWPv:i1GOAWymcx2sV8v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
560	sererve.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe57782d.TMP	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\935b3964-b02e-42d3-9616-0433aba1e94b.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{82CED895-AD80-11EE-A0B6-66BCDF92515D}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_2	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\optimization_guide_model_and_features_store\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOCK	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C46BB024-AD80-11EE-A0B6-66BCDF92515D}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\sererve.exe	sererve.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000001	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe57472b.TMP	msedge.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1	msedge.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	sererve.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1	msedge.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\d03418be-a07a-4dff-8b8a-e222bcbcae09.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\suggestions[1].en-US	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe573df3.TMP	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokens\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{82CED895-AD80-11EE-A0B6-66BCDF92515D}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000003.log	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOCK	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\sererve.dll	sererve.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AF6B5A75-AD80-11EE-A0B6-66BCDF92515D}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{82CED897-AD80-11EE-A0B6-66BCDF92515D}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4986da00-5860-4035-bd95-c6c35ea42f93.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20240107171640.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\iglcjdemknebjbklcgkfaebgojjphkec = "DC9F1FF9C413996721E1A23B9D7AC90467A418FDF0763E4E72B9BE785F269447"	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = 00000000020000000200000002000000ffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "5"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\IEToEdge\UpsellDisabled = "0"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXvepbp3z66accmsd0x877zbbxjctkpr6t_.epub = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411412770"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ie_to_edge_stub.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Feeds	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\DualEngineCacheContainerTracker	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Edge\IEToEdge	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "96EEBCB4B2B75C4774D5147F671292A52D196EA78CA64014F1C1FF73C852CF1E"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = 0100000000000000020000000200000002000000ffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Feeds\MUID\	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\BLBeacon\failed_count = "0"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\settings_reset_prompt.last_triggered_for_startup_urls = "0FE303ACBFA95C75ED51B9FA81F76B04A224222CC3417B1E14CFD006D2B9E0C5"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.htm = "0"	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXcc58vyzkbjbs4ky0mxrmxf8278rk9b3t_.xml = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Flags = "1024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ie_to_edge_stub.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\dgiklkfkllikcanfonkcabmbdfmgleag = "D4309B6F7874F41CCFE571E56B342FB3298CC91696668B03AA9BFAFADCC5D033"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	msedge.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000004ed347c4968ae54eaab1d9b2c6084be1000000000200000000001066000000010000200000004e9738dee57e4e4cdfdcb0d35aae1be9888c6d70bbf99172ca5509629c9e22ae000000000e8000000002000020000000a663455d8b52b72b431f483d8bcf663ffc99078c6effdea60d8c4d869e518631f00300000f150d96b98a5b776412ca642a7627b05931c9346b278eb59c1daa9c5c0262924b89bd4a5549ef9c4dc1b708e2bb90c67ea054e2c62991f606212e615c9effcdfd4f4f2952f5d702ef201dba2eb95d69f36528fae00614e0d3d85eb98a47d0a45777627c4d5b8c492a4dc9395fdaa409692044841f88257cc754942b0dfa0d0853d7e968a0629e7cf0c01371c65813461cd1b1a6a0044370bfe66c670a70e98b490487e10c14459dbb575de0348ede53dc772f603f610cf8f8936739d952ab7bc15ba2896c470dc7cb8c423f8791f30c34bebbefbbbbd7af5a32a46fba8d87d401c7800fda48cc8d221bdca63e0ec3e647ff8e94eebb8463c93fc630730d8352ae86aaf06fdb799664bd29455c4f9e75ec1bca74b602c30db409e18e3e65ca619541d2eb4f81107f7990f95c7b488b9f8f2a81e0772cd23bd505cdfc02dd13a414e5afc6db13b7c46d49c92742f61e5a161fb2f5d423682e358b87fe1ba51c16e15fa64b55a462743d4372f130bec0b20f21c2434b214fba5d1c4462621ec1d0ce6b07de171bdd177e3d961a644b6de5936f9e5fee89e19697e3ac0cd63d57b444dff3132777c9a2f4a2a7eba51252d3fcf6f33e1e313cec61622351a8c5b772def1b845826a0bd54de90aa1ed41602ec3773089ded870760a0544e521471c97fe0dfb8f6adbd02d3f3b087405eaf1f0937f67870bab28d44e42d0f3dbdb074fb0248590c7e7cbcdfcdf9e2249cb6f04dc156c7fc8c6a78e8e594aa382a5f9b0d76bcaa67896a94582494dcb54b816c27e395a5aa1954095f6784fc82a6bca056671ba4c046d404ba3ae2050047b16865826e95127f2325e9a6b094cb5edf945795cfd38e69d128724d26e63ab590a63005228e5b0f980e202ec19b0f8c8da4de9579dc761e37dd8e07edc9edfee19f81094a3a97784a14afe254b1a8421fde975367b34d03fb31000a51af5ac087ae0d1c4f99c7b238190c22b57d48207dde14de5126d8722a0ee1f2763f2267467f7361efc02eb988043ca1111267198c9b5f695626d66c4cccfa813a12e8e2590f3b66bcf8ecb668b10d74285678b7ce699b3fe43fd611a44fb10fdcfced3cbb979424cccf3ddaff896687aa80616c6323eb0df575819b830b236cc52e5af75a15b511ad47b1ad5733ff81468d69f12bddc4860d3e1b0a9d2e17e77dc0a6b064e6aba2250f1b4e519f5ea0e377a5378e8f0ef41819c5a63bee69b7c24d3b8f67a19e76e47a0f97a3cff4bfb713f5a9cd23f3cab0591f7e9c82e16026d718808e77d314a0491cfc42928d80ab08f45a3f7dd17fffa3ca52dbf6d0db66e624a27c545b6a7830cde9d1799a547c0f8ecf9fcd03cc53b8aa9d12233bd4cddc01e86337d8ad83ef183096abc5967c89faa489d1ef95f9d5c886b056ad3cf3d0e61d6a2ee40000000992fcf4de40567cca39c60419cf0e8112cc3c0d7ade9d7014babb6fa73c71761068f966112d2e9a5202e618b01ef9a58a921227b6992d535a259bb7ec1db6613	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX90nv6nhay5n6a98fnetv7tpk64pp35es_https = "0"	setup.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
4980	msedge.exe
4980	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	sererve.exe
Token: SeDebugPrivilege	560	sererve.exe
Token: SeDebugPrivilege	560	sererve.exe
Token: SeDebugPrivilege	560	sererve.exe
Token: SeDebugPrivilege	560	sererve.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3944	IEXPLORE.EXE
3944	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
5476	IEXPLORE.EXE
5476	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3120	IEXPLORE.EXE
3120	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
5584	IEXPLORE.EXE
5584	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
5476	IEXPLORE.EXE
5476	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4924	1656	4994bf7c857ca7415457c3b6be5c58cc.exe	18
PID 1656 wrote to memory of 4924	1656	4994bf7c857ca7415457c3b6be5c58cc.exe	18
PID 1656 wrote to memory of 4924	1656	4994bf7c857ca7415457c3b6be5c58cc.exe	18
PID 560 wrote to memory of 2336	560	sererve.exe	17
PID 560 wrote to memory of 2336	560	sererve.exe	17
PID 560 wrote to memory of 2336	560	sererve.exe	17
PID 2336 wrote to memory of 3868	2336	IEXPLORE.EXE	22
PID 2336 wrote to memory of 3868	2336	IEXPLORE.EXE	22
PID 3868 wrote to memory of 3944	3868	IEXPLORE.EXE	19
PID 3868 wrote to memory of 3944	3868	IEXPLORE.EXE	19
PID 3868 wrote to memory of 3944	3868	IEXPLORE.EXE	19
PID 3944 wrote to memory of 1012	3944	IEXPLORE.EXE	25
PID 3944 wrote to memory of 1012	3944	IEXPLORE.EXE	25
PID 1012 wrote to memory of 3008	1012	ie_to_edge_stub.exe	27
PID 1012 wrote to memory of 3008	1012	ie_to_edge_stub.exe	27
PID 3008 wrote to memory of 4472	3008	msedge.exe	26
PID 3008 wrote to memory of 4472	3008	msedge.exe	26
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 3372	3008	msedge.exe	39
PID 3008 wrote to memory of 4980	3008	msedge.exe	29
PID 3008 wrote to memory of 4980	3008	msedge.exe	29
PID 3008 wrote to memory of 1124	3008	msedge.exe	28
PID 3008 wrote to memory of 1124	3008	msedge.exe	28
PID 3008 wrote to memory of 1124	3008	msedge.exe	28
PID 3008 wrote to memory of 1124	3008	msedge.exe	28
PID 3008 wrote to memory of 1124	3008	msedge.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4994bf7c857ca7415457c3b6be5c58cc.exe
"C:\Users\Admin\AppData\Local\Temp\4994bf7c857ca7415457c3b6be5c58cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  PID:4924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:82948 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:5476
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:82952 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:3120
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:82956 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:5584
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:82962 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:17410 /prefetch:2
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10052
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10052
    3⤵
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:8
      4⤵
      PID:1124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
      4⤵
      PID:3972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
      4⤵
      PID:2972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
      4⤵
      PID:520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
      4⤵
      PID:1248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
      4⤵
      PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
      4⤵
      PID:4888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
      4⤵
      PID:628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      Modifies data under HKEY_USERS
      PID:5252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17294094014725127084,14331886039927420059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
      4⤵
      PID:5236

C:\Windows\SysWOW64\sererve.exe
C:\Windows\SysWOW64\sererve.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:5428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:1508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:2168
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:692
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:1952
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ffae55646f8,0x7ffae5564708,0x7ffae5564718
1⤵
- Drops file in System32 directory
PID:4472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0xe0,0xdc,0x110,0x114,0x7ff6d1ff5460,0x7ff6d1ff5470,0x7ff6d1ff5480
1⤵
PID:5264

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
1⤵
PID:5444

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
1⤵
PID:1296

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
1⤵
- Modifies data under HKEY_USERS
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\4f3b8460-518e-439d-b2e7-d34b9befd166.tmp

Filesize
11KB

MD5
f062b45caeb9b05b3927710250a52a42

SHA1
1e314a45b1a8ea640cacbaaeb7e192f7ccefdef1

SHA256
ffaac5eb0de3d21bea6cb494a94f5ffe84d15ee3a5d147673c45c4bdb270b010

SHA512
15ca20ba36b567764c386089a19866c08f935d1b526fa7cfc4b0473165ab56828f8778640ca7d45f965edd08769a0291a2401bebdcf60b8edf0075756f24856d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cff9c0dce73a9f1dfdd0695a2dde652f

SHA1
cb2adf45e2262b4226d5b2ddfd2a421f123be84a

SHA256
1b7c15bacbfd0914740e77de86a86a62f05e9aa429e29076b473e4499ac693f2

SHA512
003b1df14557c5ee3a8817440ddb81317fc0502a7e44ee648a56f33568b663b34188917cf0ed421585df282becd422bf5a95c9821b61728b2d7285c4b6699bce

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
memory/560-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/560-385-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/560-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/560-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/560-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/560-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download