cfdc107d0bc345c268917ae21bb3338cc3dbe014df085ae3ae44413224c0b4f5

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00bcbbd7313488a36195456c188f4d8f.exe
Size

56KB
MD5

00bcbbd7313488a36195456c188f4d8f
SHA1

b621184348b0174c55e029fb9274b936794c15a8
SHA256

cfdc107d0bc345c268917ae21bb3338cc3dbe014df085ae3ae44413224c0b4f5
SHA512

46e3baf275ca41e1d3b6e629d90bbcab5095d7cff9ee2099ad2968cfe970f7eb1201b694ce422e21dae4b2747b2ca8ccd0275cc47ba725b1121260f205cddea7
SSDEEP

768:yM8tiYVAJpX56fFRv9gMQ9iGW3wDEd38SFa3Nj/8m2VnjS6207yUCEEw/IL4CubB:yriYVABUJK6+TwsZmDszAJ

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000001e5df-4.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	00bcbbd7313488a36195456c188f4d8f.exe

Loads dropped DLL 1 IoCs

pid	Process
3316	regsvr32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001e5df-4.dat	upx

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\	00bcbbd7313488a36195456c188f4d8f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}	00bcbbd7313488a36195456c188f4d8f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iexfilter.dll	00bcbbd7313488a36195456c188f4d8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\VersionIndependentProgID\ = "BhoNew.Bho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\InprocServer32\ = "C:\\Windows\\SysWow64\\IEXFIL~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CurVer\ = "BhoNew.Bho.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\ = "Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\iexfilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ = "_IBhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\ProgID\ = "BhoNew.Bho.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ = "IBho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\ = "BHO.ext2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\ = "BHO.ext2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CLSID\ = "{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\ = "BHO.ext2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\CLSID\ = "{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ = "IBho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
3148	msedge.exe
3148	msedge.exe
1576	identity_helper.exe
1576	identity_helper.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3148	3100	00bcbbd7313488a36195456c188f4d8f.exe	31
PID 3100 wrote to memory of 3148	3100	00bcbbd7313488a36195456c188f4d8f.exe	31
PID 3148 wrote to memory of 3180	3148	msedge.exe	29
PID 3148 wrote to memory of 3180	3148	msedge.exe	29
PID 3100 wrote to memory of 3316	3100	00bcbbd7313488a36195456c188f4d8f.exe	30
PID 3100 wrote to memory of 3316	3100	00bcbbd7313488a36195456c188f4d8f.exe	30
PID 3100 wrote to memory of 3316	3100	00bcbbd7313488a36195456c188f4d8f.exe	30
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 2512	3148	msedge.exe	40
PID 3148 wrote to memory of 4964	3148	msedge.exe	39
PID 3148 wrote to memory of 4964	3148	msedge.exe	39
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32
PID 3148 wrote to memory of 4972	3148	msedge.exe	32

C:\Users\Admin\AppData\Local\Temp\00bcbbd7313488a36195456c188f4d8f.exe
"C:\Users\Admin\AppData\Local\Temp\00bcbbd7313488a36195456c188f4d8f.exe"
1⤵
- Checks computer location settings
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\iexfilter.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://hotvid44.com/bind2.php?id=1xxx3913705
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
    3⤵
    PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
    3⤵
    PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
    3⤵
    PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:872
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
    3⤵
    PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
    3⤵
    PID:5028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:1156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
    3⤵
    PID:2208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:4904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
    3⤵
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
    3⤵
    PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,13876591526985062400,15633964709898456119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d5b646f8,0x7ff8d5b64708,0x7ff8d5b64718
1⤵
PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66c58c5d8047fc5251830005a3ee442c

SHA1
0c9a5f5149537cdd4787ac9b54ccb66f91ef6273

SHA256
dafde98a2a2c1fdf01bd16f98e580821301de48f4b3cd9b620bd6dc8638e433c

SHA512
6cb514b00a1b5c4b2f7232dbdaf3690734a2402969269da59f871a261a30e39638fe74b685e6f81dfa0db03f6f5f65d9ab8816c9f15269ccb7a0b16b1688609d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1fc5f53a2662d21b93d3c3468b6e83c5

SHA1
8ede889a88f802a170de42d8665aebdaa2589df8

SHA256
594ce93c5a2d83e8d9a8ea5bf8d8a8aec2b43c69cf45e20fb0c3f4314cd3c865

SHA512
d940840876e5a21a6f278b7ae3da45bff209584304e4d00600097e789cf9fccc668e162c836b56524b412b481dea05c85bcfe3ac77873186ad564ae6fda02caa

Download Submit
C:\Windows\SysWOW64\iexfilter.dll

Filesize
18KB

MD5
28a52dadb9fe2771e20e95ccee4bca3b

SHA1
3e6e783023addc87b7180320fb84545f11fab643

SHA256
f42913460f8153daa8b8884c3f2299ffee022fd8cba73f47c2da792ef4173671

SHA512
01eb62db5a141fff6469c71f77712dd5ab824d8e84b9f0479971485d1cecdfa67774cbe337fd032ed76f9f293f230b045fdfb8bfb6abf4de08fd6e7db3fe0aa5

Download Submit
memory/3100-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3316-10-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download