fbf3997330e5b4e11c9786a0947a943e895cb6f6706e726b804d40fc6b59ec40

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17ba83f79f37e85b9c9fd05dc71645e2.exe
Size

59KB
MD5

17ba83f79f37e85b9c9fd05dc71645e2
SHA1

f154fda2ecb59e0d56df108a492bb473ebb7a3cd
SHA256

fbf3997330e5b4e11c9786a0947a943e895cb6f6706e726b804d40fc6b59ec40
SHA512

eb5185ad8692fb78e7556dbab70c7579871a1f466d1050aca319fa8c183d49f80a82716f260ab5f8e0824f3c28773bb125c031577cce16fa98f6028585f6fda8
SSDEEP

1536:WriYVA9WB5dHn5dBl1pN15x1Z5lwTsmSLRA8vKuVEHFducS32j:yB5dHn5dBl1pN15x1Z5lCsmSXyuVLyj

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000001e5df-9.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	17ba83f79f37e85b9c9fd05dc71645e2.exe

Loads dropped DLL 1 IoCs

pid	Process
4920	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-10-0x0000000010000000-0x00000000100F7000-memory.dmp	upx
behavioral2/files/0x000600000001e5df-9.dat	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cfen32i.dll	17ba83f79f37e85b9c9fd05dc71645e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\ProgID\ = "Aikido"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\cfen32i.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido\ = "library.edu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CurVer\ = "Aikido"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\VersionIndependentProgID\ = "toolie.Bho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CLSID\ = "{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido\CLSID\ = "{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\ = "Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ = "IBho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\ = "library.edu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ = "IBho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\ = "library.edu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\InprocServer32\ = "C:\\Windows\\SysWow64\\cfen32i.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
3148	msedge.exe
3148	msedge.exe
4504	identity_helper.exe
4504	identity_helper.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3148	3100	17ba83f79f37e85b9c9fd05dc71645e2.exe	29
PID 3100 wrote to memory of 3148	3100	17ba83f79f37e85b9c9fd05dc71645e2.exe	29
PID 3148 wrote to memory of 3240	3148	msedge.exe	28
PID 3148 wrote to memory of 3240	3148	msedge.exe	28
PID 3100 wrote to memory of 4920	3100	17ba83f79f37e85b9c9fd05dc71645e2.exe	40
PID 3100 wrote to memory of 4920	3100	17ba83f79f37e85b9c9fd05dc71645e2.exe	40
PID 3100 wrote to memory of 4920	3100	17ba83f79f37e85b9c9fd05dc71645e2.exe	40
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4128	3148	msedge.exe	39
PID 3148 wrote to memory of 4728	3148	msedge.exe	35
PID 3148 wrote to memory of 4728	3148	msedge.exe	35
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31
PID 3148 wrote to memory of 1456	3148	msedge.exe	31

C:\Users\Admin\AppData\Local\Temp\17ba83f79f37e85b9c9fd05dc71645e2.exe
"C:\Users\Admin\AppData\Local\Temp\17ba83f79f37e85b9c9fd05dc71645e2.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://thevid11.com/bind2.php?id=3913704
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
    3⤵
    PID:1456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:3388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
    3⤵
    PID:2212
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:1908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
    3⤵
    PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
    3⤵
    PID:2240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
    3⤵
    PID:1452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
    3⤵
    PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
    3⤵
    PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10202238495096233248,15567767468964551952,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4352 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\cfen32i.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d5b646f8,0x7ff8d5b64708,0x7ff8d5b64718
1⤵
PID:3240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea1aae93df17457ec2071041f12f0890

SHA1
b3f4cab931b22d4c16d26d8afe4bf8d6162c79ea

SHA256
301b84cc4f1c88a27e61e01fb3bbd12a9167ad7ebc87ec9a038995eb0df36a42

SHA512
0fd9189f3adaa57961271f67dfb9499597b98bd029db89d7f9f9859e84c8bf66793fe4ddf2009bdd796b7c68beda531fc2172f12dbe94024fdaddfed0beaa622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
69a2cefdc73bd3e666caf8fa4026f22d

SHA1
82d3b0ecddee89f5b16b5c7f895f6158619b4dbe

SHA256
f49353a7c473efdb1216aa4099f31e28315ea097736cd6b845a06c8931e5eb91

SHA512
ed25c49e3661fe149e5e8855e920cc5ecff7dc8d33e171846235149d286f6fce2deb855d2e7425feb2a42e7ed7573de339740cb21f114304fb20a09ce6778b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f990dbf88a7067fcd49469a28b6d5488

SHA1
780e91f2603d67839986f64841f80849bb16befc

SHA256
85efe8d3404a2d35f3519c306180000d9a5b083b2ed0daaf325d7182ede7fea7

SHA512
15c84bb9b0f34594b4aa5422a95443c90d783e85a2e664344023dcbcb00c847ec0ee6d5978a36789773b65b82d3328f20ea2592a354feb3c117292696751575b

Download Submit
C:\Windows\SysWOW64\cfen32i.dll

Filesize
23KB

MD5
3125c2c5b7805fe4c5146392acef7681

SHA1
01934f83826a99769410bad1e227079792bdcd1f

SHA256
5ffa1f22aeec2ad26e5379caf52a8a362d21e75e8980826e95b17b273c021cc8

SHA512
f4c83997e4f51c3ae2963f3062d98eff667e210f27a35b5d6d2c92aff479b9a280c71401b4265b74e2eef09715d8d07b83f0f20931c7181fade0b7e4079a1c5e

Download Submit
memory/3100-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4920-10-0x0000000010000000-0x00000000100F7000-memory.dmp

Filesize
988KB

Download