cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
08-05-2021 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
Size

3.3MB
MD5

ff36e55c32797704f09e344148c66cf2
SHA1

f3ee023dbfc31ed8881932b25511155ade5ab633
SHA256

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b
SHA512

987fc3b7a46ef9ac6643c16173af0f81d6bc15887de695c794b0a1d133a50d00a914814423c5cd69ba1019c5c3fcb2c5626c1561cec295e028a5eb871ba4ddab

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exeSynaptics.exe

pid process

3124 ._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
424 Synaptics.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
behavioral2/memory/3124-132-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SS CRACK RETRIX = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

pid	process
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4344 3124 WerFault.exe ._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

pid	pid_target	process	target process
4344	3124	WerFault.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.execfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\Certificates\EC419 = 0f0000000100000020000000d3fe7073da1f0bc2ace8379d492e0dc37565ee0258199d00b7d6fdd8073c6d121400000001000000140000007fd399f3a0470e31005656228eb7cc9eddca018a4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee5c0000000100000004000000000800001900000001000000100000004fd8109a374c83637a461d03a672e5ec030000000100000014000000ec4191d1f357bd539483286fa67fd219143d26110400000001000000100000001d53326643d689c49dc2956250ff52c02000000001000000b2040000308204ae30820396a00302010202100580267f06f29553348e1c185a5eee2e300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313230383132323832365a170d3237313230383132323832365a3072310b300906035504061302434e31253023060355040a131c54727573744173696120546563686e6f6c6f676965732c20496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311d301b0603550403131454727573744173696120544c532052534120434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a059af57fa987ec009bc621d4593532329b43943004e38a55a651fce7c287e17a7fddeeeef64719c514fe5bd51a05109dbcc9851d545767a925a7be9bb7319d720a743d3f552f5bb4083026ccc616fc28a9779a0aa1683fbd703e65e38d4c0b4fbd3eaaf5f885dc987ce25c8de4f3e502ad83ccd0c3168af71e094fd0a83a6a15755844040883dc3c11e5f1603870f0c06c5d256541be4b67a00ce37532d70dd6d2542e63674bbca2af418930efee3025b01e45f1a660bd2643390785af068e4db2964842271219dc84a6530f5773e9a065935c46108e4f6560275406dafe87c7df792dca66930ec13ac510e75bdee90e48a60916a4e8211b7deddd5f0e8e5790203010001a382014f3082014b301d0603551d0e041604147fd399f3a0470e31005656228eb7cc9eddca018a301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c304c0603551d2004453043303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c010201300d06092a864886f70d01010b05000382010100addd54e8f9765bf83332b68b6df794362fc89dec9456365f61ca4d81ad7bc9db2ba8b9fdfb032263188a1024a7a55a358fde9fc599e6a72b40f54bb89ac90d25d3d3836731e64e4035288ff34702675f08107f8756d9e4e18ae927f5879631ff9c11e1fdd35283e01a59d4ec4b8f2122cd74c4620eb5e7b5c2260c0891be4879189b87e1809513a5c49eda9a348806911c3129282753721dde2b856d6f45510f50aad6f5197f75009ee2e35e774e290681809dc189015110fc81255ef0e01ca3a21f64e62dfd31308a2d48be2d42aa7b94956a6c1752dd40d21d7db5b74d27b406141aee27db5487ef3d61d83aedeb920d5978ca3a5d153d0789f95722584661	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ce9d80bf6144d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000adca1d53bd32aa5097f6d5db16b7cf2585519be041ee7d9402d4b580beee5e46943aa130068391f1a5254b5be6a8413f9c1c70a84bf04e84ce5831d1f12f	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\Certificates\EC419 = 030000000100000014000000ec4191d1f357bd539483286fa67fd219143d26111400000001000000140000007fd399f3a0470e31005656228eb7cc9eddca018a0400000001000000100000001d53326643d689c49dc2956250ff52c00f0000000100000020000000d3fe7073da1f0bc2ace8379d492e0dc37565ee0258199d00b7d6fdd8073c6d121900000001000000100000004fd8109a374c83637a461d03a672e5ec5c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000002000000001000000b2040000308204ae30820396a00302010202100580267f06f29553348e1c185a5eee2e300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313230383132323832365a170d3237313230383132323832365a3072310b300906035504061302434e31253023060355040a131c54727573744173696120546563686e6f6c6f676965732c20496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311d301b0603550403131454727573744173696120544c532052534120434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a059af57fa987ec009bc621d4593532329b43943004e38a55a651fce7c287e17a7fddeeeef64719c514fe5bd51a05109dbcc9851d545767a925a7be9bb7319d720a743d3f552f5bb4083026ccc616fc28a9779a0aa1683fbd703e65e38d4c0b4fbd3eaaf5f885dc987ce25c8de4f3e502ad83ccd0c3168af71e094fd0a83a6a15755844040883dc3c11e5f1603870f0c06c5d256541be4b67a00ce37532d70dd6d2542e63674bbca2af418930efee3025b01e45f1a660bd2643390785af068e4db2964842271219dc84a6530f5773e9a065935c46108e4f6560275406dafe87c7df792dca66930ec13ac510e75bdee90e48a60916a4e8211b7deddd5f0e8e5790203010001a382014f3082014b301d0603551d0e041604147fd399f3a0470e31005656228eb7cc9eddca018a301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c304c0603551d2004453043303706096086480186fd6c0102302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c010201300d06092a864886f70d01010b05000382010100addd54e8f9765bf83332b68b6df794362fc89dec9456365f61ca4d81ad7bc9db2ba8b9fdfb032263188a1024a7a55a358fde9fc599e6a72b40f54bb89ac90d25d3d3836731e64e4035288ff34702675f08107f8756d9e4e18ae927f5879631ff9c11e1fdd35283e01a59d4ec4b8f2122cd74c4620eb5e7b5c2260c0891be4879189b87e1809513a5c49eda9a348806911c3129282753721dde2b856d6f45510f50aad6f5197f75009ee2e35e774e290681809dc189015110fc81255ef0e01ca3a21f64e62dfd31308a2d48be2d42aa7b94956a6c1752dd40d21d7db5b74d27b406141aee27db5487ef3d61d83aedeb920d5978ca3a5d153d0789f95722584661	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 103efa239444d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 669acfc46144d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 682fd0be6144d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WerFault.exe

pid	process
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe
4344	WerFault.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

2400 MicrosoftEdgeCP.exe
2400 MicrosoftEdgeCP.exe

pid	process
2400	MicrosoftEdgeCP.exe
2400	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeWerFault.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	4024	MicrosoftEdge.exe
Token: SeDebugPrivilege	4024	MicrosoftEdge.exe
Token: SeDebugPrivilege	4024	MicrosoftEdge.exe
Token: SeDebugPrivilege	4024	MicrosoftEdge.exe
Token: SeDebugPrivilege	4128	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4128	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4128	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4128	MicrosoftEdgeCP.exe
Token: SeRestorePrivilege	4344	WerFault.exe
Token: SeBackupPrivilege	4344	WerFault.exe
Token: SeDebugPrivilege	4344	WerFault.exe
Token: SeDebugPrivilege	4608	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4608	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

pid	process
4024	MicrosoftEdge.exe
2400	MicrosoftEdgeCP.exe
2400	MicrosoftEdgeCP.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
3124	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4012 wrote to memory of 3124	4012	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
PID 4012 wrote to memory of 3124	4012	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
PID 4012 wrote to memory of 3124	4012	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
PID 4012 wrote to memory of 424	4012	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	Synaptics.exe
PID 4012 wrote to memory of 424	4012	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	Synaptics.exe
PID 4012 wrote to memory of 424	4012	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	Synaptics.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2400 wrote to memory of 4128	2400	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
"C:\Users\Admin\AppData\Local\Temp\cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:3124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1200
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
6e163085114a0f35940c93f0d3760f5a

SHA1
3ba820bdab95cd6455a741da830f82809155fe39

SHA256
84acaf5d2eb4a13e1f13386026b1372e1633a3d2bc069062eaddf1aa9d227586

SHA512
e2270070b6bb1f25b2a016237e1691c42ff66cb2a00d3a2407957a812a953c69ca0c0c15c241f17ae83c8c668f7fdc983098f69ada467301f2d8029dd10cb836

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

MD5
6e163085114a0f35940c93f0d3760f5a

SHA1
3ba820bdab95cd6455a741da830f82809155fe39

SHA256
84acaf5d2eb4a13e1f13386026b1372e1633a3d2bc069062eaddf1aa9d227586

SHA512
e2270070b6bb1f25b2a016237e1691c42ff66cb2a00d3a2407957a812a953c69ca0c0c15c241f17ae83c8c668f7fdc983098f69ada467301f2d8029dd10cb836

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
memory/424-124-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/424-118-0x0000000000000000-mapping.dmp

Download
memory/3124-122-0x0000000074410000-0x00000000745D2000-memory.dmp

Filesize
1.8MB

Download
memory/3124-121-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3124-115-0x0000000000000000-mapping.dmp

Download
memory/3124-125-0x0000000002A9B000-0x0000000002C5E000-memory.dmp

Filesize
1.8MB

Download
memory/3124-126-0x0000000075AE0000-0x0000000075C1C000-memory.dmp

Filesize
1.2MB

Download
memory/3124-127-0x00000000028FE000-0x0000000002A8D000-memory.dmp

Filesize
1.6MB

Download
memory/3124-128-0x0000000074300000-0x0000000074377000-memory.dmp

Filesize
476KB

Download
memory/3124-129-0x00000000026F0000-0x00000000027C1000-memory.dmp

Filesize
836KB

Download
memory/3124-130-0x0000000002DA8000-0x0000000002EE5000-memory.dmp

Filesize
1.2MB

Download
memory/3124-131-0x00000000027D0000-0x0000000002849000-memory.dmp

Filesize
484KB

Download
memory/3124-132-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4012-114-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download