532d3bba9f5303ca9fbc6fbc04783cea8682c68f5d00e5af847db574bd456876

Analysis

max time kernel
69s
max time network
71s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
13-01-2023 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrucialScan.exe
Size

273KB
MD5

5ee6166a4abb82fd33baa6248f66918d
SHA1

762b2ae362e089bea12e669cafb6c4e84651b5f1
SHA256

532d3bba9f5303ca9fbc6fbc04783cea8682c68f5d00e5af847db574bd456876
SHA512

74466bbf93dbd1b2ef50f1e5ac40e727ec7f45791b29aa3e3e6716210d4bc16f0735b5a61a3faacad8e3c6ee9b38692698fe8fe891c13874ca28fd4c60da22b5
SSDEEP

6144:pvodp0Ymh4o+R/gE7+cE4ll3dqF2VCZHKa9DL:pvod+hh+R/gE7tEGk2IZHKEX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	CrucialScan.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com\Total = "1237"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.crucial.com\ = "1000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com\Total = "124"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cdn-micron.suth.digital	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com\Total = "1002"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f84602771627d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.crucial.com\ = "1416"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 41294a851627d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com\Total = "1197"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com\Total = "602"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "596"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\Certific	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = d581f14b6daed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\suth.digital\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com\Total = "1158"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.crucial.com\ = "1316"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1fddce761627d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.crucial.com\ = "1002"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople\Certi	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\crucial.com\Total = "90"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\suth.digital\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\suth.digital\ = "0"	MicrosoftEdgeCP.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
620	Process not Found

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4776	MicrosoftEdgeCP.exe
4776	MicrosoftEdgeCP.exe
4776	MicrosoftEdgeCP.exe
4776	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	696	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	644	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	644	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5092	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5092	MicrosoftEdge.exe
4776	MicrosoftEdgeCP.exe
4776	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 696	4776	MicrosoftEdgeCP.exe	73
PID 4776 wrote to memory of 696	4776	MicrosoftEdgeCP.exe	73
PID 4776 wrote to memory of 696	4776	MicrosoftEdgeCP.exe	73
PID 4776 wrote to memory of 696	4776	MicrosoftEdgeCP.exe	73
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82
PID 4776 wrote to memory of 756	4776	MicrosoftEdgeCP.exe	82

C:\Users\Admin\AppData\Local\Temp\CrucialScan.exe
"C:\Users\Admin\AppData\Local\Temp\CrucialScan.exe"
1⤵
- Checks computer location settings
PID:4936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3732

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3932

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QA03EDT2\scanner-loading-image[1].gif

Filesize
93KB

MD5
06066fee0fb491f3deeac18a75f7c695

SHA1
b164988a86c94260ca4f0ca12a03a483478568fd

SHA256
cb8142cd53a5e7da3602724103ed5b184c73d846c40325b18e4524b08b42901d

SHA512
4829e1958da33153cd5f5a78d249050c3534a888a1bc873aa49631998ba3e62ee5de380eaa409fadb2cc3db1fcba0d3b8b309c3f58e2dc74c7e61259e49bf89a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

Filesize
471B

MD5
bc21d81943d06da4914dc92502132fa6

SHA1
96171473b60fccab53e5d1c57c55070fe751b093

SHA256
ccf8dd919836dce5db509e56658454c260039fba285ada9883116774712f3bdf

SHA512
e75d69dba8066d4e5e85139a5832c067ab6186f7ed8c01ec4c35a52a48b492c53b753f6b14ad9f626748db9965e121b03da14ccb3e9cc3fa5e909ff2f6e1599e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

Filesize
434B

MD5
6bbb386618377692259174b122e87581

SHA1
1c0afb5a2f868aa438ba45255ecec90edb3fb21f

SHA256
16c7e1757b95ceba225a74a47127580cc49a17bdc2b7b18b8c7aebd46d465f96

SHA512
1040b440b7ed933afb737bf143be0abc2db595fe4623552b61d4f36ed86d405f21bec3e5644c7b1d496e5177e44069592c36d55daee6d4daa31fb65431bbe85c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysprofile.htm

Filesize
866B

MD5
8ab2922c1121a92472b6105341c90618

SHA1
4d232ce9dc96d9bdfc08bdd2f250741840799828

SHA256
9fb52ad8cea1fa062d41206a0c24298c3a785ab4a9440f8c85468d63a84c6953

SHA512
ce94501f35c315dce52325680d337ef341b31bb3a6c96de773f776ee127e23f7a77b7585c89e46fa4d96755a1c86ab24adae0f176e5a3ed7b07ff16ace662ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysprofile.htm

Filesize
31KB

MD5
39bef9bc8c1fe4619e547a0240ce77ea

SHA1
0c46b65aaa5b875be39a94a2150daab98b317cba

SHA256
1fed32b8664027312824ddfa032449ff3fb71769c155da7f69b6fb58f6cd0f8a

SHA512
2427f9d066ff8f04664526cb5aa01bec7babb9bce232aa58f850d1db3642cb590fcbe03f9a5404d7b0b088d8e51b75a9b1838082e5b9aee6010aa76294633add

Download Submit
memory/4936-136-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-179-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-120-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-121-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-122-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-123-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-124-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-125-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-126-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-127-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-150-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-129-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-130-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-131-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-132-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-133-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-134-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-137-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-138-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-139-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-140-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-141-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-143-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-144-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-145-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-146-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-147-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-142-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-118-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-148-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-180-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-119-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-128-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-151-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-152-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-153-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-154-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-155-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-156-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-157-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-158-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-159-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-160-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-162-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-161-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-163-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-164-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-165-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-166-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-167-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-168-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-169-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-172-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-174-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-175-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-176-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-177-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-117-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-116-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-149-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-178-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-135-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/5092-171-0x000001D4BA920000-0x000001D4BA930000-memory.dmp

Filesize
64KB

Download
memory/5092-170-0x000001D4BA820000-0x000001D4BA830000-memory.dmp

Filesize
64KB

Download