c946192bf47377d97cc4aff9cc4e405acbd19aae30a1745be4b7fa7f230ad8c0

Analysis

max time kernel
126s
max time network
178s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/Ryujinx.SDL2.Common.dll.xml
Size

244B
MD5

2d175f1dad5afd5ff46691db53d9459a
SHA1

1b220dfd4badb4fe6d0f0cf839c76cced2f6e47e
SHA256

ccb8d75668d09da1d56153fef48e62de2ef3c6248cfb1b98169c4d94eac77ceb
SHA512

757e52f3badec151f3abc3da15ef446d6731fff62d2686b5e0f6455c6a823693a011bbd50b5fae35dc70e076ab7db908689778b94dcd1566c4f007001cb29c0b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca000000000200000000001066000000010000200000008525eb051eef9ba0bd65a39f061fecadc7edbc8819b39affba7df2eb28a4e8c2000000000e8000000002000020000000aa428c490d173e22c3a22c8fdc0beb618f5da3b775f5734b9fafbe41830d7b212000000080b97846e0f977cf012b8de1b9175eaceb390ea39dd6180b6d327c6ae6c92ace400000008057ad4428939bc1f0f2b6e4cb89b6791d627a1d4e3dbf73c3c39e4b91d704fc7d3ac1f93edf3628463fe52958250548b01130fea03e057d36a7b402ec42ab03	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000bb7d8f3617e8315b7069b5d510f48098a2ae6285b3bebc0df41bc3701987b2c4000000000e800000000200002000000069ae939dc0177f75b49a3d18e247a4d5388a16779616a6b2779025da4c50ff7e90000000630e31e5f8f9cf6bfab1a1f94b1f530be67eaae9c1afd0f878366bad16f6b142456e82c787872b7028f862366de717400f3f4fe5ff867280ceac340642cf9ffd3d9ba83444aec4bac8a63fbc10fc6ef18015baffc91e900b75a72eab9bbb96a5141d9984a4a45b900dc3fb93bc727d72a67a3da24e45bb09f71a7736e89ba7573fbbe17dad85197c5d6b574f32a4946740000000775bade039b2903824ec5b802e0d46bfe6672486f3b8da81f3d80ab26540f1b3dae8189f534fc26b739c932d36c34ded2d82a52cf40d2d854c0d235776176940	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390021957"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2467BEA1-EAF4-11ED-8079-DA251FB5CF93} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0903310017fd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
340	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
340	IEXPLORE.EXE
340	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 580	928	MSOXMLED.EXE	29
PID 928 wrote to memory of 580	928	MSOXMLED.EXE	29
PID 928 wrote to memory of 580	928	MSOXMLED.EXE	29
PID 928 wrote to memory of 580	928	MSOXMLED.EXE	29
PID 580 wrote to memory of 340	580	iexplore.exe	30
PID 580 wrote to memory of 340	580	iexplore.exe	30
PID 580 wrote to memory of 340	580	iexplore.exe	30
PID 580 wrote to memory of 340	580	iexplore.exe	30
PID 340 wrote to memory of 1764	340	IEXPLORE.EXE	31
PID 340 wrote to memory of 1764	340	IEXPLORE.EXE	31
PID 340 wrote to memory of 1764	340	IEXPLORE.EXE	31
PID 340 wrote to memory of 1764	340	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.SDL2.Common.dll.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:928
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8492380b97965cad34182535f8cba22d

SHA1
a0d9ef919317537bff036782245adbff170d8389

SHA256
70a9eaecc5f276272dd2cf3632d394efe1846b032c70bbe7ffb62a661763c734

SHA512
10a164dd3cbb674fcd380d550c661b7c2edde56076a5378d75fc8f6f30166625faa8a14c845f5a3e09cd760be2d4850da38d97c1160521d62f9dbcafa27275e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8492380b97965cad34182535f8cba22d

SHA1
a0d9ef919317537bff036782245adbff170d8389

SHA256
70a9eaecc5f276272dd2cf3632d394efe1846b032c70bbe7ffb62a661763c734

SHA512
10a164dd3cbb674fcd380d550c661b7c2edde56076a5378d75fc8f6f30166625faa8a14c845f5a3e09cd760be2d4850da38d97c1160521d62f9dbcafa27275e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbf4147f08c1617995232139b8000e45

SHA1
21c1c073845d0bc7df9699d6ee1578e2804cb41c

SHA256
0c203aee557e68e75a5e8bdd34487e92a3a02c54ca0fc3626d7adaa95e5d58cd

SHA512
da50fb4497b211186e15503241a39dc3d687da1e79d3e527c04165fa5588661c7016bb7a0d2ec5528cc09cfd699614b44e5920fd8bfa7f3663ea700b88a04397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1592962b550dabe87334c1a9083d3022

SHA1
a6b467625583cd548e9a662448ed22aacc2fd97d

SHA256
639a3f1e1169936d3f32dc307c0ab1ba4a9120e1e6bb90da9d9f724bae5d3e95

SHA512
e0d23a81ec8c6d2f1b61f04fb470e7c262bdf1800d53cf8d310dbdae7edb15f658e47e06cf0cba86919b34ecac444346de2527ba197e39d0ad9abaa7ad3942f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ffea9a5dd5a583cb6c22baf73d769ec

SHA1
dede56fe6418adba5ed8afa7be564938f8a7b8a0

SHA256
799df990fae5d68bdd34acd4667b31495d84526b660a289a65bd0e8bfe9178ff

SHA512
9e5f67f64270a615cc253750006fd2a8bf175b7d45c233ad40d82a6cd7e73feabe29272fd3c5cdc9de35e377a84b8483cbec5fa0ffe291b9a7b224ab0776e02c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73d96a0c7d674487ba9823f06afc1373

SHA1
eeac5dea5e4b508e9fa08a54993b37ae75dee81e

SHA256
31dbc435c89bfde64d7dfd23891c8a5dbfdc7464ba1b82c7eafc95c012b08cb7

SHA512
d44e7add3c75cb6d3dee4b5f16dcc6a39409f5af4a22c5a26a48cb1a808d86309d7654d5a0621c235da1063a4287998932c01d5ffcdc7757b4664ed60e6fad0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc64c905cdaf523e272ccfa05de01058

SHA1
4d20dc6a4feb74d017850720940735b06396810d

SHA256
d204e48ab43ecd8fa2f1dcfc648d5267c030280e4237b14e6cdce317b44fcf5e

SHA512
604dedb0ea8ec81f5da4805fc90f1c7664f6b10d16376fae7f0818dc5d7edabd302f237a0f2e4fa7ba4bcd460eb3774a4ddde0d2dcde3223bd7ad624a74b8a52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66c8954f99d282db329e8950b40a5c4c

SHA1
ad541d2b5621247644b7be12086e635d3dbeb934

SHA256
efc787e82f84d6fd31ae7a38dc1e6cc5a73bbc90581b869658aa41ffd51683a2

SHA512
8dc36fcfc69bfd4e018324cfe46fe48aad397b682482fe4056ea35ba51e690a72d82f8e29f0046fcc4ab6cde079c3cee65e45a8da1f78704b1e3299c10125545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e2baaec6c2f3f0faf9b854a411abb4b

SHA1
1bdf564a41cd0f1806e4a300902e20a76ba80eb5

SHA256
80e0031458580ee553decdda51ae1c5080be39c38caff191897be41e339cc730

SHA512
606d76f66e3cd723306c51df058fd6ba71e822fd2b751d376ce1f0ba72513475942413ceddf0cdea1dcea7e85a900a7691571977d4c6c8c173a1891b72258de9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09cad2f8c0da5ae79b56cfdaf85b9b50

SHA1
b5d4b2a47725cbfd63aefc14c1a148050b5ec7d5

SHA256
30c30c627de6faf26b23e3cccf92c3fd9813a6d578e3bbe81216205294f68350

SHA512
0e672b0401ede65207b45fadf0ed61a9c7618ad33cc73b8d7df1d2815ba9ba8f7974ec76ee44c6c33ae8cea55aa3676921296415d38840d070af69bf60a16fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4D33E1QE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab63C6.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar64E8.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C70F1N5O.txt

Filesize
601B

MD5
1f05fd822f0f3a5957661a34f537c2cc

SHA1
c420aede040503da0dda70ebb6b4583f68dc7097

SHA256
9180483964d789a86bf64ae4dd5b936d69d17e905dbeb94063f4ea95eb7b9761

SHA512
ca2f805625ac8d7b0c8ee314c93391edc772c2537f7cf7737b470a44d27fbc03cd59460682ceba0e1f0c4ff1134b0132c5d9b5b510ff4ad1e36a36066f0e6c5b

Download Submit