40415b1bc53572d6d1f47d64f6b14e27a12b3f016f24f3fa3fe3244bbfdfe5cb

Analysis

max time kernel
107s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-03-2023 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/Ryujinx.SDL2.Common.dll.xml
Size

244B
MD5

2d175f1dad5afd5ff46691db53d9459a
SHA1

1b220dfd4badb4fe6d0f0cf839c76cced2f6e47e
SHA256

ccb8d75668d09da1d56153fef48e62de2ef3c6248cfb1b98169c4d94eac77ceb
SHA512

757e52f3badec151f3abc3da15ef446d6731fff62d2686b5e0f6455c6a823693a011bbd50b5fae35dc70e076ab7db908689778b94dcd1566c4f007001cb29c0b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384570753"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11BDC5D1-B960-11ED-BB59-EE84389A6D8F} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a127eb6c4dd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000df7b92732becd8346a950fc05518c7613325997a6e1d77237889444e66232f78000000000e800000000200002000000059fee34b4744131eaf489cdfc22b606b295e65fd34460a47dd02335163a9bef92000000080d946fa5032988468271b2b8ebe45dd76e77b2245b16d8d02d67e1730b7bbff400000001ec0eebc73f1b408e4a90546c1d51a7fd1b9404dcd83d1d5a271603b7138606232a4397b9bfddf5d212fe7bba5f7b897263d6754edbc562cbddfd407bb9d46d2	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000101f819d853c1227673ab1075c2c445b7300aa6c6853afe2a0817a2b0021d8a0000000000e800000000200002000000040841fe011320e684312e8f6959f375f2525f62fa02fd02c11367d0bc2723bc3900000006acef2c68185f5126da2f6b07e5424cb0eaa0a90cfb5500933342905b58f1b27247f6f4c497bf9731e82f704acc7768d4d983aabb744b8ad0f6e52f1579468bcffc7d5a75e2dc5b16058b8ba2c0a12f9ac2fc8c49465680440313c72b8d08b3d74fc2b236425502e31fae6114b7b8cfab1eeaec86cf6947ffd671e468d4a49a3d6bbd19995734b62d37fcfe46d9b4a444000000091ef7f7daa2f6a7a18d77c8cc0bbe92d6a94e43da50d5d762b986ab791416da6ef493aba4cbffbaab224c27e96c612ceb991bee1114fd21ce150c37636463d03	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

684 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

684 IEXPLORE.EXE
684 IEXPLORE.EXE
1372 IEXPLORE.EXE
1372 IEXPLORE.EXE
1372 IEXPLORE.EXE
1372 IEXPLORE.EXE

pid	process
684	IEXPLORE.EXE

pid	process
684	IEXPLORE.EXE
684	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1680 wrote to memory of 1088	1680	MSOXMLED.EXE	iexplore.exe
PID 1680 wrote to memory of 1088	1680	MSOXMLED.EXE	iexplore.exe
PID 1680 wrote to memory of 1088	1680	MSOXMLED.EXE	iexplore.exe
PID 1680 wrote to memory of 1088	1680	MSOXMLED.EXE	iexplore.exe
PID 1088 wrote to memory of 684	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 684	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 684	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 684	1088	iexplore.exe	IEXPLORE.EXE
PID 684 wrote to memory of 1372	684	IEXPLORE.EXE	IEXPLORE.EXE
PID 684 wrote to memory of 1372	684	IEXPLORE.EXE	IEXPLORE.EXE
PID 684 wrote to memory of 1372	684	IEXPLORE.EXE	IEXPLORE.EXE
PID 684 wrote to memory of 1372	684	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.SDL2.Common.dll.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0155fd558eb4310dfaccb388f4512d15

SHA1
c8429331cef75ec5c5b96495f4cb1d5f2e648946

SHA256
c074a4ea0e07833c98fd033f4bb5366f2fb8bb6d2482fb7e5e064cbbf80afe96

SHA512
86c8336734ee820b74eb1ca704fe3d66bb48989f74a31d8f994b66c03e3b5cbd01082c74a40c75d029f11b94678706fb332192e81cf72e4e4b09e9678ba7a4bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2363a22f917bc1cb6ecf0a883f57a0d8

SHA1
0a5c0f8a9a74a3d2b47d12d5c7e902fdec926d27

SHA256
9c6e08da8c920f5acdc2f5f07b10896d532c6f466f04037da639a1bce912021d

SHA512
e7356ba8382f937f2ff591a4a0e773a2aed5143287e3aa4f134538389aeacc8d363dae913c5719baad50d5e9a83e5c8e65f4c0be45ccb71b285e01dd317dbf97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d1a499ebb61b202f3f8a7b97040717f

SHA1
56286379e522ee1a0599cce43de1ef24d3ac31d0

SHA256
ff0847044d61a07faca4d7feb7b8f35a8acebff085e0f0187aed02e0e84db88e

SHA512
18a34bc3b4eafae4573ebb9265bb59dbd7a8a4d0b98370edac467da154c764cc838b946c47a8e7dbd2bfbfca452fa19791331da6afded81b094eea5791e44238

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76bbfe7f5e0b3adc3d736f01975146b4

SHA1
e4e85aa534d926d415e0b576a6f42a4de14645fc

SHA256
6fa9bfd31d5d59840cdd794dc8e2760c94e311a507dbe47e1b6ec137ea490375

SHA512
7c416a90a264df0650cddb075cf4f76cb9fc4fb64180de859cddedb7106ef84d888bd631b4bcc6f402399b641be82607ce5fd7eb0f5c635cb8d5e43347ec3531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF55.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB25A.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\151XTMWZ.txt

Filesize
605B

MD5
2de3d8b2b226c1e3c17be659fbf281f8

SHA1
ca63763f3192cf5554a485f4cc00ae54af7b2725

SHA256
e9e33d858c6bc796108eeed6f7cb6291e7f5466d7d14c1826ad315a564b60947

SHA512
f6eee8eda24b71e2e9536bbaa05cea5925c630b0a4f1b44e56bf45cc34d1411888a761560715088ff68e5f0abc309ee66c604b753ee39a96ed3217d125d679e7

Download Submit
memory/684-54-0x00000000022C0000-0x00000000022D0000-memory.dmp

Filesize
64KB

Download
memory/1372-55-0x0000000003080000-0x0000000003082000-memory.dmp

Filesize
8KB

Download