hxxp://iili[.]io

Analysis

max time kernel
599s
max time network
533s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://iili.io

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\freeimage.host\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\freeimage.host\ = "2054"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\doubleclick.net\Total = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "804"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "SR en-US Lts Lexicon"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft Speech HW Voice Activation - English (United States)"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 470b01835280da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_enUS_DavidM"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft David Mobile - English (United States)"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "32"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Traditional Chinese Phone Converter"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 83ce05835280da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "18"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "417711549"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\freeimage.host\NumberOfSu = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "11.0.2016.0129"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = 322d9a43ff74693161317f9e26a7d6bb591a6f276432e10543a70c26e1b357a5	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "418314413"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\doubleclick.net\NumberOfSubd = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HW"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\freeimage.host\Total = "1970"	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5092	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1580	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1580	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1580	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4472	MicrosoftEdge.exe
5092	MicrosoftEdgeCP.exe
1580	MicrosoftEdgeCP.exe
5092	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79
PID 5092 wrote to memory of 5000	5092	MicrosoftEdgeCP.exe	79

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "http://iili.io"
1⤵
PID:496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6BU1G9P1\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M46L41MO\f3cb92769b53fd8b1ef85d8f657e48f8[1].js

Filesize
52KB

MD5
f3cb92769b53fd8b1ef85d8f657e48f8

SHA1
d9ddd2b3b02572702fede79b83a9782277630604

SHA256
86511c4d73c76a630eeccc828398800e92cd0708b1a79f2f9465f8025530da84

SHA512
d4a9dc144cfb823e7412fa19334e4ce11e73b4ca6146747405a595e1b0fa93985311d02cf67243b30906e1339d4fee7bcde68fafcea921fd3d34e78be4f39678

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M46L41MO\f[2].txt

Filesize
214KB

MD5
ddafe9ee559a665a1e67e4338e00ca53

SHA1
fdd0295c8758197dcb33b6f3f7dfce1a6db385cb

SHA256
98727e12c24ab43d1f3a871c66c5ce44070e1cedf37bdc9ff476233b8183688b

SHA512
eb188e9f7580d24676530e8bc6854536329babdd0bbc017b0a72d94cc781c5b13bda8abea7c68d6190b3fa9c874b5d314015880ee319585ef7b2da0141dd0f23

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M46L41MO\f[3].txt

Filesize
2KB

MD5
43df87d5c0a3c601607609202103773a

SHA1
8273930ea19d679255e8f82a8c136f7d70b4aef2

SHA256
88a577b7767cbe34315ff67366be5530949df573931dd9c762c2c2e0434c5b8a

SHA512
2162ab9334deebd5579ae218e2a454dd7a3eef165ecdacc7c671e5aae51876f449de4ac290563ecc046657167671d4a9973c50d51f7faefc93499b8515992137

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ONRS02MN\f[2].txt

Filesize
30KB

MD5
a44bcb0ea5c85fb826107c40cab9fe02

SHA1
afbe74aa7f8b23965b9a46d636d1ccea6a2f53f4

SHA256
172abdc1549b57ea9d6e92351ac832492722a46e897bee71f949705da49b3108

SHA512
278378ac5bba0e97712c1fc379963256e90cf08dceb6bd9bacc3e6052b93360f3c97bb0b832d7e224e096faec626934f14a33fd7336e675a0fe573f8c002d37b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ONRS02MN\f[3].txt

Filesize
2KB

MD5
4c38d208d9d973925492b711fcbbf71e

SHA1
ca9aecef92acf22b2234e16dbb52133e45a80cbf

SHA256
cdbe9b84c30a00229826b0b1e354c94d36dd6bf16e6580bbef43877689c8f5bb

SHA512
24ed59d2de3c055a0a64ffe7a37eee094a8b7512489a04be0fc53de80bf21d16f2fff68be1cac49f2e7b4f75cb7ad32793501494982c5723fe135a6d7d88e2fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ONRS02MN\f[4].txt

Filesize
29KB

MD5
0477d50b8c866188d6497b84b75942d6

SHA1
5fb74c10d468e5c6b0064a545adc5a2459451cb4

SHA256
334c6462d1b583a07ef6bb60d7c09c81044603bb91dc5bbbd12701c6526d4ebf

SHA512
a059c87606acea9ea9a68f0bf56f54ca532d5e95625d96aa4b9d9489e4debc8eb91f12bcc60c97936220b21c17d9fcf8dd9a27b8c964f035d2938e02fbf64894

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ONRS02MN\qQxblM-82UGfO2UIXar57yFpVDVHucNbGSzcOii_-0c[1].js

Filesize
51KB

MD5
03781b3ea9c5281d57c572baa5603eb1

SHA1
78517e61225864e2204dfa2cd8a127189b296534

SHA256
a90c5b94cfbcd9419f3b65085daaf9ef2169543547b9c35b192cdc3a28bffb47

SHA512
4b4ab6bc51292e2d9d0e8c46668f4ab7dd6c1adfb353a1bb9d75fd6c7f971b342569211a9ddd5f675bbdd3b8f5a0d963a34b8f4ddde67520a45c362cc13304e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\PZAKAOVS\freeimage[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DEU1SN1B\favicon-32x32[1].png

Filesize
1KB

MD5
9e040c449bba518cde34bedd258d17ab

SHA1
89eb132a0283acdd9bc072ad5c8a128de32f50a9

SHA256
0e38e65bee9c1586493ec80200242b0265d289df955e215f6b171f3fd87101b0

SHA512
08d6740ffa30568798123977dff1cc2d21ab03ad0feef9e68b11fb4f9590f7fef30529cd938b5798505ce1de11b9f71590822424d0fc7bb5a627cc604c67729f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\W7BGIAKO\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/4472-195-0x0000021FC1620000-0x0000021FC1621000-memory.dmp

Filesize
4KB

Download
memory/4472-196-0x0000021FC1630000-0x0000021FC1631000-memory.dmp

Filesize
4KB

Download
memory/4472-0-0x0000021FBAF20000-0x0000021FBAF30000-memory.dmp

Filesize
64KB

Download
memory/4472-35-0x0000021FBB410000-0x0000021FBB412000-memory.dmp

Filesize
8KB

Download
memory/4472-16-0x0000021FBB700000-0x0000021FBB710000-memory.dmp

Filesize
64KB

Download
memory/5000-391-0x000002AF41C00000-0x000002AF41D00000-memory.dmp

Filesize
1024KB

Download
memory/5000-431-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-337-0x000002AF3F390000-0x000002AF3F392000-memory.dmp

Filesize
8KB

Download
memory/5000-339-0x000002AF40700000-0x000002AF40800000-memory.dmp

Filesize
1024KB

Download
memory/5000-363-0x000002AF3C8E0000-0x000002AF3C900000-memory.dmp

Filesize
128KB

Download
memory/5000-381-0x000002AF3FB30000-0x000002AF3FB50000-memory.dmp

Filesize
128KB

Download
memory/5000-332-0x000002AF3C8A0000-0x000002AF3C8C0000-memory.dmp

Filesize
128KB

Download
memory/5000-422-0x000002AF42B00000-0x000002AF42C00000-memory.dmp

Filesize
1024KB

Download
memory/5000-426-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-427-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-429-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-428-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-430-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-335-0x000002AF3F350000-0x000002AF3F352000-memory.dmp

Filesize
8KB

Download
memory/5000-432-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-434-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-437-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-441-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-442-0x000002AF2B6F0000-0x000002AF2B700000-memory.dmp

Filesize
64KB

Download
memory/5000-298-0x000002AF40700000-0x000002AF40800000-memory.dmp

Filesize
1024KB

Download
memory/5000-296-0x000002AF40700000-0x000002AF40800000-memory.dmp

Filesize
1024KB

Download
memory/5000-146-0x000002AF3F300000-0x000002AF3F302000-memory.dmp

Filesize
8KB

Download
memory/5000-142-0x000002AF3F2E0000-0x000002AF3F2E2000-memory.dmp

Filesize
8KB

Download
memory/5000-138-0x000002AF3F210000-0x000002AF3F212000-memory.dmp

Filesize
8KB

Download
memory/5000-133-0x000002AF3ECF0000-0x000002AF3ECF2000-memory.dmp

Filesize
8KB

Download
memory/5000-129-0x000002AF3EC40000-0x000002AF3EC42000-memory.dmp

Filesize
8KB

Download
memory/5000-118-0x000002AF3EC90000-0x000002AF3EC92000-memory.dmp

Filesize
8KB

Download
memory/5000-109-0x000002AF3EC70000-0x000002AF3EC72000-memory.dmp

Filesize
8KB

Download