Analysis
-
max time kernel
128s -
max time network
128s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01/06/2024, 20:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
http://google.com
Resource
win11-20240426-en
General
-
Target
http://google.com
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6777c2e15eb4da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = a8ae5ae75eb4da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 46b760e15eb4da01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000017d8b3147f32b60f517fe7cde8841a920fb0dce3a37a7403dc36425628ae89383f4451f3048e1089bf8cc074dd9b1c27ff322287d0c37a1ff690 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 702c76e15eb4da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fc058ee15eb4da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 5068 MicrosoftEdgeCP.exe 5068 MicrosoftEdgeCP.exe 5068 MicrosoftEdgeCP.exe 5068 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3876 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3876 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3876 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3876 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 592 MicrosoftEdge.exe Token: SeDebugPrivilege 592 MicrosoftEdge.exe Token: SeDebugPrivilege 5364 firefox.exe Token: SeDebugPrivilege 5364 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5364 firefox.exe 5364 firefox.exe 5364 firefox.exe 5364 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5364 firefox.exe 5364 firefox.exe 5364 firefox.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 592 MicrosoftEdge.exe 5068 MicrosoftEdgeCP.exe 3876 MicrosoftEdgeCP.exe 5068 MicrosoftEdgeCP.exe 5364 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5068 wrote to memory of 3720 5068 MicrosoftEdgeCP.exe 77 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5300 wrote to memory of 5364 5300 firefox.exe 80 PID 5364 wrote to memory of 5536 5364 firefox.exe 81 PID 5364 wrote to memory of 5536 5364 firefox.exe 81 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 PID 5364 wrote to memory of 5604 5364 firefox.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "http://google.com"1⤵PID:2960
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:592
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4548
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3876
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5300 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5364 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.0.602265243\1606497059" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddcfc0d-1ecf-4a17-86bc-f9a1c7b25ae4} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 1796 2317efbae58 gpu3⤵PID:5536
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.1.1287286891\1733761539" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42cd7c2b-0047-4cb9-ab74-ab92f72520c6} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 2136 2316cb70a58 socket3⤵PID:5604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.2.352719608\1914139912" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2916 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {982deec6-7f51-4635-906e-9920ec4d89f4} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 2972 2310309e858 tab3⤵PID:5932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.3.915440285\782378991" -childID 2 -isForBrowser -prefsHandle 3112 -prefMapHandle 3044 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {652d516b-e46c-48af-bd35-63996ef28c28} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 1244 23103d46e58 tab3⤵PID:6036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.4.1464550254\1139732676" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4380 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e229cb1-9a63-4c27-8b57-ca1180172826} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 4396 23105124a58 tab3⤵PID:1460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.5.1205623688\1146253311" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4972 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71adef4-4aeb-4f69-a53f-46574f1d3df5} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 4984 231054c8c58 tab3⤵PID:1184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.6.1184326745\1111144559" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5036 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b793433-fc45-4862-ac76-f6aa59f81ce2} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 5024 231054c6258 tab3⤵PID:3536
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.7.499875159\552155889" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6432c71d-997b-4d5f-ad2d-1ed8a0fae7ac} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 5248 231061fc558 tab3⤵PID:5136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.8.1001848602\1429355299" -childID 7 -isForBrowser -prefsHandle 5580 -prefMapHandle 5592 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bed01a8b-0134-4979-9a3c-29a715bf2531} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 5596 23107151358 tab3⤵PID:1812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\83E9220200E1571B8A9D3BD22F093A31723DBB86
Filesize215KB
MD520db472f05547bbd4c05ee88f3d4ae23
SHA18124558c976992514503ba149137c09214b5ec13
SHA2564c1dae1761f31f3403b72f4fca7344087d6900fd19e13e92c75347972ee70c98
SHA512671c378672329242bd6e3b0a6abb882896a04ce865156956f312e29d2dd14ececd42e3cd85f6045afe4c62fae609ef2663f8943cf7ff462eb921f474b3294be7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\89S7I2E8\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF14E4C85B2B31A949.TMP
Filesize16KB
MD516e9ac5a58ec8ba463a37104faa0addf
SHA17bb695e56e6ba22552fd012f49a99edb1f9dee13
SHA25611694ad4c69ecb249e7e99948e41cfcb303321a1d308dd6a5ae9d40870b1018d
SHA51286769065f578cea5c8a4c1e8bf43eff58da082a4a2c474d173a80563397d3055d4f0b92229668bea49be682a5a991b55aa73a67378d798c375e588d5e8f0a379
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5e9270368b07b9b18560dba7a86174f96
SHA1102607586ae8083991ed111ad83c52951b4f3b63
SHA2564af01f25e4142619d49ceeb0ee5fbda7b658de9a457883920e1f4e7e85b686d6
SHA512e549775c4e82b0a582cd0800ae42251eea9a3cd5803e160a9b70282d42c13518697158f72fa822f959cc9b88231a6a7e1b7f2e235a987f8908e056738a62e0fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\15424c16-ac7c-4d27-890f-06b40dc3da29
Filesize9KB
MD5973d9f32945f7fb2c06518662984b45b
SHA1977d9ddb20fc7b0b2ded5191fba7c4f1062edda5
SHA25628b7aa66c2c2d77853cade71e36522bc6b450350d48afe1d5df4d3203abc577c
SHA512473f9f7ac5fa8e670afabbba1ac3fa0028052b6c71adc2b93452f3df69b7a1e623d68a95ddbdebd37ecc5dc43d48b945183e52c5a9a9b683a302d0f4dcb7eca5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\9cd6c45e-69e1-4f1d-bf2f-26899afb35f6
Filesize746B
MD50846d950b07a972d9f52e3dcb56a22be
SHA12b9209e9679e4c1d7537494b37261376a3bb668c
SHA2560a6136da6df98d0dfdcafea0f9350fe38a2f1a0ec4945f2b4aa77ca315957644
SHA512e87e2eb3328efa898a44db60bd4c34f549cfbf771f6b19e41783157a2e8fa8014c86c132ec2035fbb2f6b11b004db41afeca44284b1ff7777159af7cb169dfa4
-
Filesize
6KB
MD5a579249f347d4690d1662ad9b799671c
SHA18853267c0d6ef3c15dfd5903cc8361ecdf378ded
SHA256c59ea3f1e39f6e22276b29c5ddaecf98c7a919608294e6c4328d08044c5cb589
SHA5122acfcd2ac7fb2a058ab5664d077f9011640cdf4d8f3aeecdb330b341b43dd006b09d646567eb991fe47b753300e946043121e6aacd6acf2de4740e9347d9b57b
-
Filesize
6KB
MD572aedd8ce1195ef383f8bb76d7a1cec1
SHA11562ce9bc9b5a7dad89ade1b0927480e9d8c3eb9
SHA256f76f8a9d75cc4680ba6993d744f0dd97f67e60144526fa1b3245277dfce03b14
SHA512a8feb45bf5c85e9b7fb7dc56daf31ea8b6fe3042d323dd17f3f1d71344583cf4c76227b174656ef55f2ddd8e6c3945559657af7c0dc9f822c73bab785a3c923d
-
Filesize
6KB
MD527594ca2480915c8387fffbb646053c1
SHA17f4659342d1828905e73e0cdca655162639ae7e7
SHA2562c2aadfbf20b1e499e97b47b71e9c60e0ee6151d0ced001e40d1499ef9978edb
SHA51246fa789db444364709c9b7c1caaa2d73c6f6bece0735e9e06baa78da64dd416501166bf1b6ed7c6b16aa696bb1dd6d4ad1862710731fd9a7d58571d1e7cbba66
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD54e84cdae3278a46e75235699953ecb31
SHA12ea9769f4b2e3895fe69b656c437db9ee2a43d05
SHA256929c9a9a8a00202a0fce4f7e53bce9a1dbdff0c77eadedd5fc8baf9231990f1d
SHA51295f536030e72927a70ea1de3d2c2eb45b98706085d1555741965ba07c7f377b9dfc16c3091a00320dbf4bc1f4ad6e6319080223db7088f4cd62a49ad24afe8e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD588fb666239582f758e17d42cf44b6e8e
SHA1d5c23d393d0c9ed065396042838a62e3d7eb5b79
SHA256dbf6f167438cba190c7deb2073cb4e5f6c7d37859702fc39d9f5f9a52680bd8f
SHA51206466124032b5b9571ca8471dd3209ddbbc7fe6954d843065ca5c1b4cdc7d50c8476abce9904cabd56ac8cd986bd3d3e20711a43c23f477ed657a8c74f15e6d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55771b23799727a93b75b7bfc2e09f99c
SHA1617f66fd495fe6b31a408ba77a352e128dab94ec
SHA25687c6185b500cdf83956f434f7ec0e1fda2576fdd2f2aadd5a229a96f963489c0
SHA5125a9fc1425a69f7d4eddb78c9794234c84fa1b4862f51c4dcd1bf885716dbb17017bf53d6c1d13673784e9a0263396e3e1aa4d2087a0112914e96c6c746265f11