Malware Analysis Report

2025-01-18 21:11

Sample ID 240325-eanj5aab4y
Target dd2735c0c6c41563e86b234758b2b1b2
SHA256 b87856de071e050ce4e114417c5a41b1025cc41e9722da4be0791aef1ae05838
Tags
adware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b87856de071e050ce4e114417c5a41b1025cc41e9722da4be0791aef1ae05838

Threat Level: Shows suspicious behavior

The file dd2735c0c6c41563e86b234758b2b1b2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer upx

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Checks computer location settings

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Modifies Control Panel

Modifies Internet Explorer start page

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 03:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 03:44

Reported

2024-03-25 03:46

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3422DF3-154C-42F1-BEED-DF45BEEB4B1A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E9DE5CC3-9347-4BB1-9D1B-320B77F7E9B2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E9DE5CC3-9347-4BB1-9D1B-320B77F7E9B2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7E2C9D8-7F8C-49EC-96A3-1956727E4655} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7E2C9D8-7F8C-49EC-96A3-1956727E4655} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dskrfuoui.dll C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Search Asst = "no" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Bar = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Custom Search URL = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\HOMEOldSP = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABB72AF8-D9FC-4142-B87F-568B557B199A}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8F4A9CF-D586-4202-90EF-591930316FEB}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{ABB72AF8-D9FC-4142-B87F-568B557B199A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04081602-03AD-406A-AE93-A968FD573E6D}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7E2C9D8-7F8C-49EC-96A3-1956727E4655}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3422DF3-154C-42F1-BEED-DF45BEEB4B1A}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DE5CC3-9347-4BB1-9D1B-320B77F7E9B2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04081602-03AD-406A-AE93-A968FD573E6D}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04081602-03AD-406A-AE93-A968FD573E6D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABB72AF8-D9FC-4142-B87F-568B557B199A}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DE5CC3-9347-4BB1-9D1B-320B77F7E9B2}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DE5CC3-9347-4BB1-9D1B-320B77F7E9B2}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04081602-03AD-406A-AE93-A968FD573E6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8F4A9CF-D586-4202-90EF-591930316FEB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7E2C9D8-7F8C-49EC-96A3-1956727E4655}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3422DF3-154C-42F1-BEED-DF45BEEB4B1A}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3422DF3-154C-42F1-BEED-DF45BEEB4B1A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{ABB72AF8-D9FC-4142-B87F-568B557B199A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DE5CC3-9347-4BB1-9D1B-320B77F7E9B2}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{04081602-03AD-406A-AE93-A968FD573E6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{A8F4A9CF-D586-4202-90EF-591930316FEB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{A8F4A9CF-D586-4202-90EF-591930316FEB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7E2C9D8-7F8C-49EC-96A3-1956727E4655}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8F4A9CF-D586-4202-90EF-591930316FEB}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7E2C9D8-7F8C-49EC-96A3-1956727E4655} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8F4A9CF-D586-4202-90EF-591930316FEB}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3422DF3-154C-42F1-BEED-DF45BEEB4B1A}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABB72AF8-D9FC-4142-B87F-568B557B199A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABB72AF8-D9FC-4142-B87F-568B557B199A}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{04081602-03AD-406A-AE93-A968FD573E6D}" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe

"C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s C:\Windows\system32\dskrfuoui.dll

Network

N/A

Files

memory/2076-3-0x0000000010000000-0x0000000010013000-memory.dmp

\Windows\SysWOW64\dskrfuoui.dll

MD5 a432f83f41b0e513b8f14b99e579e5fb
SHA1 f94d032dc9b76926f8c89d4438c3b4b2ebd34d1a
SHA256 448fc3bcb92e57ab40594427f1138d28856f6a5b33306df3030792d22f97566a
SHA512 0a05e57b5be4970262d5338bf6b1ccd844e5ec21c2edb3655105179facb42fbc45e3be1abc32bfd9b4b4669bf46d7cde47cdaa41c393c50d340b027fc42fd0ac

memory/2076-4-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 03:44

Reported

2024-03-25 03:46

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4957A9AF-2290-4762-A9E1-65F0917C9E5A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4957A9AF-2290-4762-A9E1-65F0917C9E5A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8AD6363-C38A-436A-8942-C2B72EC13BB5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8AD6363-C38A-436A-8942-C2B72EC13BB5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F1ABF47-A9AB-42AA-9272-B548C6D5CA1D} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dskrfuoui.dll C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Bar = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use Search Asst = "no" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "res://%43%3a%5c%57%69%6e%64%6f%77%73%5c%73%79%73%74%65%6d%33%32%5c%64%73%6b%72%66%75%6f%75%69%2e%64%6c%6c/%73%70%2e%68%74%6d%6c" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBBF1C85-E728-48A2-9046-7F8EF056D8B4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBBF1C85-E728-48A2-9046-7F8EF056D8B4}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBBF1C85-E728-48A2-9046-7F8EF056D8B4}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBBF1C85-E728-48A2-9046-7F8EF056D8B4}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8AD6363-C38A-436A-8942-C2B72EC13BB5}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F1ABF47-A9AB-42AA-9272-B548C6D5CA1D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F1ABF47-A9AB-42AA-9272-B548C6D5CA1D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4957A9AF-2290-4762-A9E1-65F0917C9E5A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8AD6363-C38A-436A-8942-C2B72EC13BB5}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{AF32DD22-CDE5-42F2-BDB4-18C83447AE57}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{AF32DD22-CDE5-42F2-BDB4-18C83447AE57}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{8AFB9D84-3148-4B1E-A535-5CA9D4631B7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AFB9D84-3148-4B1E-A535-5CA9D4631B7F}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF32DD22-CDE5-42F2-BDB4-18C83447AE57}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF32DD22-CDE5-42F2-BDB4-18C83447AE57}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F1ABF47-A9AB-42AA-9272-B548C6D5CA1D}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F1ABF47-A9AB-42AA-9272-B548C6D5CA1D}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8AD6363-C38A-436A-8942-C2B72EC13BB5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AFB9D84-3148-4B1E-A535-5CA9D4631B7F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4957A9AF-2290-4762-A9E1-65F0917C9E5A}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4957A9AF-2290-4762-A9E1-65F0917C9E5A}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF32DD22-CDE5-42F2-BDB4-18C83447AE57}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AFB9D84-3148-4B1E-A535-5CA9D4631B7F}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{8AFB9D84-3148-4B1E-A535-5CA9D4631B7F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4957A9AF-2290-4762-A9E1-65F0917C9E5A}\InProcServer32\ = "C:\\Windows\\SysWow64\\dskrfuoui.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{CBBF1C85-E728-48A2-9046-7F8EF056D8B4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF32DD22-CDE5-42F2-BDB4-18C83447AE57} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AFB9D84-3148-4B1E-A535-5CA9D4631B7F}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8AD6363-C38A-436A-8942-C2B72EC13BB5}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{CBBF1C85-E728-48A2-9046-7F8EF056D8B4}" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe

"C:\Users\Admin\AppData\Local\Temp\dd2735c0c6c41563e86b234758b2b1b2.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s C:\Windows\system32\dskrfuoui.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Windows\SysWOW64\dskrfuoui.dll

MD5 a432f83f41b0e513b8f14b99e579e5fb
SHA1 f94d032dc9b76926f8c89d4438c3b4b2ebd34d1a
SHA256 448fc3bcb92e57ab40594427f1138d28856f6a5b33306df3030792d22f97566a
SHA512 0a05e57b5be4970262d5338bf6b1ccd844e5ec21c2edb3655105179facb42fbc45e3be1abc32bfd9b4b4669bf46d7cde47cdaa41c393c50d340b027fc42fd0ac

memory/2920-3-0x0000000010000000-0x0000000010013000-memory.dmp